• Home
  • About Us
  • Guest Posts

Saturday, January 30, 2016

Saturday, January 30, 2016

UCOP Ordered Spyware Installed on UC Data Networks (Updated 31 Jan; Updated 3 Feb)


The San Francisco Chronicle has coverage of an issue that has been circulating on faculty email networks at UC Berkeley for a few days.  The piece, "Cal professors fear UC bosses will snoop on them," is behind a paywall. The first sentence reads, "UC Berkeley faculty members are buzzing over news that University of California President Janet Napolitano ordered the installation of computer hardware capable of monitoring all e-mails going in and out of the UC system."   UC's Chief Operating Officer says "that UC policy “forbids the university from using such data for nonsecurity purposes.”  UC Berkeley's Senate chair replies, "What has upset a lot of the faculty was that the surveillance was put in place without consulting the faculty. In fact, the people installing the system were under strict instructions not to reveal it was taking place."  On the blog's Facebook page, we've had some debate about how new this capability is, with some faculty from various universities saying they've always assumed their university email could be monitored at any time, and others saying this is a new level of intrusion.


Here are two communications from UC Berkeley faculty, one about how faculty there came to know about the program, and the other a timeline of events.


EMAIL 1: January 28, 2016:

In recent weeks The Senate-Administration Joint Committee on Campus Information Technology (JCCIT) has learned that UCOP installed hardware on the campus network designed to monitor and possibly record all network traffic coming or going to the campus.

This secret monitoring is on-going.

UCOP would like these facts to remain secret.  However, the  tenured faculty on the JCCIT are in agreement that continued silence on our part would make us complicit in what we view as a serious violation of shared governance and a serious threat to the academic freedoms that the Berkeley campus has long cherished.

Some salient facts:

- The UCOP had this hardware installed last summer.

- They did so over the objections of our campus IT and security experts.

- For many months UCOP required that our  IT staff keep these facts secret from faculty and others on  the Berkeley campus.

- The intrusive hardware is not under the control of local IT staff--it sends data on network activity to UCOP and to the vendor.  Of what these data consists we do not know.

- The intrusive device is capable of capturing and analyzing all network traffic to and from the  Berkeley campus, and has enough local storage to save over 30 days of  *all* this data ("full packet capture").  This can be presumed to include your email, all the websites you visit, all the  data you  receive from off campus or data you  send off campus.

- UCOP defends their actions by relying on secret legal determinations and painting lurid pictures of "advanced persistent threat actors" from which we must be kept safe.  They further promise not to invade our privacy unnecessarily, while the same time implementing systems designed to do exactly that.

- It is very far from clear that UCOP has a better plan or better qualified IT security people or infrastructure than does the Berkeley campus, and they've shut these qualified people out of the picture.


EMAIL 2: January 29, 2016

According to other members of the Senate-Administration Joint Committee on Campus Information Technology (JCCIT):

A network security breach was discovered at the UCLA Medical Center around June 2015.

UCOP began monitoring of campus in networks around August 2015.

ONLY AFTER this monitoring, on August 27, 2015, did UCOP issue a new cybersecurity policy online under the heading of "Coordinated Monitoring Threat Response." The policy describes how UCOP would initiate "Coordinated Monitoring" of campus networks even though it is believed that such monitoring was already underway prior to the announcement of the new policy.


On Dec. 7, 2015, several UC Berkeley faculty heard that UCOP had hired an outside vendor to operate network monitoring equipment at all campuses beginning as early as August 2015. The process was apparently shrouded in secrecy and staff were instructed not to talk about it because of "attorney-client privilege" although it remains unclear how attorney-client privilege applies in this situation.  Extensive monitoring and storage of inbound and outbound Internet traffic at UC Berkeley was being performed, including storage and possible transmission to the outside vendor of packet headers with URLs and email metadata (to-from fields). The Berkeley campus IT staff does not collect this type of information because it violates UC Berkeley IT Privacy policy.

On Dec. 18, 2015, those UC Berkeley faculty sent a letter to UC President Janet Napolitano requesting more information and asking that the monitoring cease.

On Dec. 21, 2015, UC Vice President and CIO Tom Andiola met with most of the faculty who signed the Dec. 18, 2015 letter and Berkeley Assoc. Vice Chancellor and CIO Larry Conrad, and Berkeley Academic Senate chair Ben Hermalin.  Tom confirmed that monitoring equipment was installed at the Berkeley campus by an outside vendor and that it would be removed promptly and publicly disclosed by UCOP.

On Jan. 12, 2016, The Berkeley Joint Committee on Campus Information Technology (JCCIT) met with Larry Conrad and others.  The committee was informed that contrary to the Dec. 21, 2015 statements, UCOP had decided to continue the outside monitoring and not disclose any aspects of it to students or faculty.  The Senior faculty members of JCCIT met privately after the meeting and deliberated carefully about options, concluding it was their duty to come forward. To protect staff, administrators, and non-tenured faculty, it was decided an open letter should come from a group of tenured faculty, stating that "We are UC Berkeley faculty who have reason to believe that extensive monitoring and storage of inbound and outbound Internet traffic at UC Berkeley is being performed by an outside vendor at the request of the UC Office of the President, with no disclosure to UC Berkeley faculty or students...." A draft open letter "To Whom It May Concern" was circulated to all senior faculty who signed the Dec. 18, 2015 letter, stating our intentions to forward this to the New York Times.  Eleven senior faculty signed it.

On Jan. 15, 2016, the letter was sent to the New York Times and reached reporter Steve Lohr. Senior campus administrators in the Chancellor's office and UCOP were also sent copies.

On Jan. 19, 2016, UCOP Exec. VP and COO Rachael Nava sent a letter to those who signed the Jan. 15, 2016 letter.  The original version was marked "CONFIDENTIAL: DO NOT DISTRIBUTE" and invoked "Attorney-Client privilege". After several recipients responded to her via email questioning who is the client and why her letter must be kept secret, a revised version of the letter was sent the next day removing that language, stating: "All: Please accept my apologies with regard to the confusion on the attorney client privilege language on the letter.  It was a clerical error and was not intentional. Please find a revised version of the letter with the language removed." The letter admits that extensive monitoring is being performed by an outside vendor but does not provide a rationale for continuing this monitoring six months after it was initiated nor for the ongoing lack of disclosure from UCOP to students and faculty.


UPDATE: the Nava letter of 1/19/16:

EXECUTIVE VICE PRESIDENT - CHIEF OPERATING OFFICER
OFFICE OF THE PRESIDENT

1111 Franklin Street, 12th Floor

Oakland, California 94607



January 19, 2016

Dear Colleagues:

I am writing to follow up on earlier discussions about cybersecurity matters across the UC system and to share to the fullest extent possible the principles and considerations that guide the University’s efforts to respond to cyber attacks.

First, I want to thank you for sharing your concerns that we maintain the privacy protections enshrined in University policy even as we significantly strengthen our cybersecurity posture. As explained below, I do not believe these imperatives conflict, in fact, they reinforce one another in crucial ways. I would like to share some key principles and practices that help ensure that privacy protections are consistently upheld in the context of network security activities, some observations about the serious cyber attack we experienced at UCLA, and information about increasingly challenging attacks that are rising at academic institutions across the country.

As you know, on July 17, 2015, UCLA publicly announced that it had suffered a serious cyber attack. The attack appears consistent with the work of an Advanced Persistent Threat actor, or APT. An APT generally emanates from an organized, highly skilled group or groups of attackers that orchestrate sustained, well-planned attacks on high value targets. Today, much effort in the cybersecurity industry is focused on APT attacks because they are difficult to detect and highly destructive. While there is no evidence that cyber attackers actually accessed or acquired any individual’s personal or medical information at UCLA, the University decided to notify stakeholders. UCLA notified 4.5 million patients about the cyber attack. Within days, several lawsuits were filed against the Regents alleging various violations of State law, all 17 of which are now pending.

The UCLA attack, while exceptional in some respects, is part of an increasing trend of cyber attacks against research universities and health care systems. Institutions of higher education are increasingly targets of APT attacks because academic research networks hold valuable data and are generally more open. Indeed, the mission of our University is to promote knowledge sharing and research collaboration, which involves responsibly sharing data. A recent report from Verizon described educational institutions as experiencing “near-pervasive infections across the majority of underlying organizations,” and observed that educational institutions have, on average, more than twice the number of malware attacks than the financial and retail sectors combined.

APTs seek to illicitly harvest credentials across academic networks and then use those credentials, and the trust relationships among systems, to move laterally to other nodes in a given network. There are techniques to address such attacks, but I share these points to underscore the seriousness of the threat posed by APT attackers and the fact that, for cybersecurity purposes, a risk to what appears to be an isolated system at only one location may in some circumstances create risk across locations or units.
In recognition of these realities, President Napolitano has initiated a series of system-wide actions to strengthen the University’s ability to prevent, detect, and respond to such attacks. I believe these efforts are consistent with the reasonable expectations of the University community -our students, faculty, staff, patients, research sponsors, and academic partners- that we undertake serious efforts to protect sensitive data from malicious attacks. I also believe these actions are fundamental to realizing the University’s commitment to privacy. The following actions were taken:

  • A leading cybersecurity firm was engaged to assist the University in responding to the cyber attack, in part by analyzing network activity at all UC locations to detect and respond to any APT activity
  • Every location submitted a 120-day cybersecurity action plan to harden systems and improve administrative and physical safeguards
  • A Cyber-Risk Governance Committee (CRGC) was established, with representation from across the system, including the Academic Senate, to oversee and guide system-wide strategies and plans related to cybersecurity. The CRGC has met several times already and is identifying key ways to strengthen our security posture while honoring the University’s commitment to academic freedom, privacy, and responsible fiscal stewardship
  • A system-wide incident escalation protocol was developed to ensure that the appropriate governing authorities are informed in a timely way of major incidents, and
  • Mandatory cybersecurity training was rolled out to all UC employees by October 1, 2015.


Several faculty members have requested detailed, technical information about the UCLA attack and the specific security measures taken in its immediate aftermath. I understand that some are concerned that such measures may have exceeded the University’s policies governing privacy. I believe such actions were well within the operational authority of the University and in alignment with policy. It is regrettable that as long as the UCLA incident remains the subject of pending legal matters, I cannot publicly share additional information that might correct some of these misimpressions. As a policy matter, however, I wish to address the privacy and governance concerns that arise in the context of data security, without any express or implied reference to the UCLA attack.

With respect to privacy, the letter and structure of the University’s Electronic Communications Policy (ECP) reflect the principle that privacy perishes in the absence of security. While the ECP establishes an expectation of privacy in an individual’s electronic communications transmitted using University systems, it tempers this expectation with the recognition that privacy requires a reasonable level of security to protect sensitive data from unauthorized access. For this reason, the ECP expressly permits routine analysis of network activity “for the purpose of ensuring reliability and security of University electronic communications resources and services.” (ECP, IV.C.2.b.) It expressly permits analysis of “network traffic” to “confirm malicious or unauthorized activity that may harm the campus network or devices connected to the network.” (ECP, V.B.) Significantly, “consent is not required for these routine monitoring practices.” (Emphasis added.) In short, the ECP reflects that, in some circumstances, the protection of privacy actually requires limited examination of electronic communications. (ECP, Attachment 1, V.A (noting that failure to prevent unauthorized access itself undermines privacy and confidentiality).) This is consistent with fair information practice principles and the University’s duties under laws and regulations that require the use of physical, technical, and administrative safeguards to secure sensitive information.

The University takes great care to ensure that its practices reflect the balance outlined in the ECP. I would like to illustrate significant measures that we undertake to honor privacy rights in responding to a cybersecurity threat.
Even in time-sensitive circumstances, privacy impacts are typically evaluated before undertaking a coordinated network security effort. Appropriate privacy protection measures are embedded into the underlying scope of work both at the planning and execution stages of a network security effort. Such analysis typically includes an evaluation of the specific technical and analytic techniques to be used and whether they are consistent with the ECP. It also often means defining an appropriately limited scope for network analysis activity, focusing such analysis on known signatures for APT activity and related indicators of compromise. For vendors, the ECP requires scope discipline to be enforced by contract. (See ECP, IV.A (requiring vendors to be contractually bound to honor University policy).)

Layered review is another privacy-enhancing measure used in appropriate circumstances.1 Layered review requires security alerts to be resolved in tiers, with each tier representing a limit on the type and amount of data to be reviewed. A layered review starts at the lowest tier, using automated review and basic metadata to resolve the security alert at that level. In circumstances where a security threat cannot be resolved at a lower tier or with automated means alone, the human-readable content of an underlying communication may be reviewed. The ECP limits such inspection to the “least perusal” necessary to resolve the concern. (ECP, IV.C.2.b & V.B.) To inspect content beyond what can be examined through “least perusal,” the ECP requires user consent or access without consent under a campus’s procedures, which typically involves a decision from the campus’s senior management.

I understand that some faculty members may be concerned about storage and use of data collected through network security analysis, including questions about data being used by the University for other, unrelated purposes. The ECP forbids the University from using such data for non-security purposes, (ECP, II.E.2, IV.A, & IV.C.2.b (prohibiting University employees from seeking out, using, or disclosing personal data observed in the course of performing university network security duties)), and violators are subject to discipline.2 With respect to storage, much data collected through network analysis may already be stored elsewhere within the University’s network ecosystem (or even with third party cloud or other providers), independent of any network analysis activity. Data collected or aggregated specifically for network security purposes is only stored for a limited time, segregated in a highly secure system, and forensically obliterated thereafter. In some circumstances, a preservation of certain data related to litigation may be required by law, which may result in a longer storage period for a limited amount of network analysis data subject to such a mandate. With respect to third party requests for such data, the University has a long history of defending against improperly intrusive requests, including requests under the Public Records Act.3

Governance is also a critical aspect of this discussion. Ensuring that all stakeholders are fully enrolled in developing the University’s cybersecurity policies going forward is essential. As you know, the President has launched a coordinated system-wide initiative to ensure that responsible UC authorities are appropriately informed about risks, that locations act in a consistent and coordinated way across the entire institution, and that the University can sustain action to manage cyber-risk. A number of structures have been put in place to elevate the importance of cybersecurity within University governance, some of which I described above but elaborate here for emphasis:


  • The President asked the Chancellors to each appoint a single executive to lead efforts to review and improve cybersecurity at their location. These positions are the Cyber-Risk Responsible Executives (CREs), and each position reports directly to the Chancellor or location chief officer.
  • A single escalation protocol has been implemented across the UC system to facilitate appropriate notification and handling of cybersecurity incidents. The protocol is intended to drive consistent analysis and response to cybersecurity incidents. It is being piloted and will be reviewed for effectiveness by the CRGC after six months.
  • In addition to establishing the CRGC described above, the President has appointed a Cyber-Risk Advisory Board, composed of six internal and external expert advisors, to support the CRGC and provide information and advice about emerging issues and best practices in cybersecurity, and to help develop aggressive and effective approaches to managing cyber-risk, consistent with UC’s teaching, research, and public service mission.
  • Finally, a Cyber Coordination Center is being launched to help coordinate a variety of activities across the locations.


With specific reference to faculty governance, the President has reinforced with senior management the need for ongoing dialogue with our faculty and Senate leadership. The Senate has a robust presence at the CRGC, and I believe the CRGC is the best forum to develop mechanisms and policies for further ensuring that Senate leadership is fully engaged in policy development and briefed in a timely way regarding ongoing security matters and practices.
I also welcome a discussion about how to harmonize broader cybersecurity efforts with existing, campus-specific information governance guidelines. Some campus-level guidelines, established as part of system-wide information governance initiatives, limit the specific technologies and methods that may be used for network security activities, including some methods in ordinary use at other University locations and use of which may be necessary to comply with legal duties or to effectively evaluate a specific threat that may implicate multiple locations.

Given the difficult and shifting challenges worldwide in terms of cybersecurity, there is no monopoly on wisdom here. It is my intention to approach these issues with humility and openness, believing that our efforts will only be enriched by an exchange of ideas and viewpoints. I welcome your engagement on these issues and look forward to a deeper, joint effort to protect the privacy of our users and the security of the University’s systems.

Sincerely,
Rachael Nava
Executive Vice President -
Chief Operating Officer

cc: Academic Senate Vice Chair Jim Chalfant

Vice President Tom Andriola

Deputy General Counsel Rachel Nosowsky

Associate Chancellor, Nils Gilman

UCB Professor of Business and Economics, Ben Hermalin
______________________________________________
1 A layered review is not actually required by the ECP and may not be appropriate in all cases, but it illustrates the types of measures used to rigorously observe privacy principles.
2 The ECP creates a specific exception for circumstances where an employee incidentally observes obvious illegal activity in the course of performing routine network security activities. (ECP, IV.C.2.b (defining exception for disclosure of incidentally viewed evidence of illegal conduct or improper governmental activity).)
3 Public Records Act requesters may seek far more intrusive access to the content of faculty or staff records than what the ECP permits for network security monitoring. The limits on the University’s own access to electronic communications under the ECP do not apply to Public Records Act requests.


2 February Updates

Suhauna Hussain. “A Web of Cyber Controversy: UC Monitoring of Campus Network Traffic Sparks Outrage among Faculty.” The Daily Californian, February 2, 2016.

Steve Lohr,  “At Berkeley, a New Digital Privacy Protest.” The New York Times, February 1, 2016

Statement from UC Berkeley CIO, 2 February:

We believe that the existing UC Berkeley policy that has been in place for a number of years strikes a privacy-security policy balance, is robust and reflects this University's best traditions and values. It is the result of a collaborative campus effort that included both staff and faculty, and like them the Berkeley administration believes that all IT policies and procedures, whether system-wide or local, should be transparent and accountable.

Larry Conrad
Chief Information Officer
UC Berkeley


3 February UPDATES:

  • The UCSB Faculty Association requested clarification on the surveillance program from Santa Barbara Divisional Senate Chair

Dear Kum Kum,
We write because we are deeply disturbed by the recent report that UCOP has installed surveillance software “capable of monitoring all e-mails going in and out of the UC system”
(http://www.sfchronicle.com/bayarea/matier-ross/article/Cal-professors-fear-UC-bosses-will-snoop-on-them-6794646.php?t=1c3d144ee43ba53be4&cmpid=twitter-premium%20via%20@sfchronicle).   While we are aware that officials at UCOP have sent a letter explaining the context and rationale for installing this software, we do not find that the letter addresses adequately the potential threat that taking such measures poses to academic freedom and shared governance.   As the Board of the UCSB Faculty Association, we request that you ask Chancellor Yang for an immediate and full accounting of all electronic surveillance capabilities now in existence and/or in operation at UCSB, and that you make that information available to all members of the UCSB Academic Senate.
With thanks,
Julie Carlson
Jorge Luis Castillo
Nelson Lichtenstein
Constance Penley
Erika Rappaport
Elisabeth Weber
Robert Williams

  • UCSB Chancellor Henry Yang sent a modified version of COO Nava's 1/19 memo, which you can read here.
  • The UC Academic Senate Committee on Academic Computing and Communications has issued a statement we've posted here.  Although the object to the end-run around shared governance in the name of urgent security matters, they give a pass to the surveillance itself--see the final 2 bullet points in particular.

32 comments:

Brian Riley said...

Napolitano, by the way, never uses e-mail herself.

elaine x said...

I just say, keep on them. Together we can honestly and transparently bring the police state mindset to rest. #GlobalPoliceStateStanddown

elaine x said...

I just say, keep on them. Together we can honestly and transparently bring the police state mindset to rest. #GlobalPoliceStateStanddown

Anonymous said...

What the hell is UCOP?

Aubrey Kohn said...

The Nazis won the war.

Michael Meranze said...

@Anonymous

University of California, Office of the President

Anonymous said...

Is there a link to the NY times letter somewhere? I would love to know who the 15 faculty are who signed this letter, and wonder why there weren't more signatories.

Anonymous said...

@Anonymous
At that point only about 15 tenured faculty knew about the monitoring. Untenured faculty were discouraged from signing.

Anonymous said...

Just got an e-mail from Janet Napolitano...

"Janet Napolitano, UC President "

I have never assumed a single e-mail I sent was not being
logged/recorded by somebody, starting in 1982 when
I first sent an e-mail. We all know cell-phones have
essentially none of the legal protections that landlines have...
think it is a coincidence that landlines are no longer
well maintained?

If you really, really care, learn how to encrypt.

maggie said...

Isn't transmitting the electronic behavior of students to a 3rd party without their consent a direct violation of FERPA?

cloudminder said...

It is a shame that there is a separate thread running on this topic on "this blog's Facebook page" , there are some conscientious objectors to FB and you might be missing out on that readership, audience by splitting the content fwiw...
Anyway, a few years ago the Wiseman documentary 'At Berkeley' (it runs four hours long, had viewing parties at Cal in celebration of it, was supported by the Cal senior admin.) got a lot of press around it but: the Cal leadership and extended community failed to have a dialogue on at least two key issues raised in it
1- Cal IT security # of ongoing threats etc. was discussed by senior VC level folks and huge numbers were mentioned

2-
A Birgeneau cabinet meeting was filmed and multiple topics were discussed including possible persistent practices of nepotism involving an HR 'star' awards program that hands out monetary gifts for performance.
Those are just two that come to mind immediately.
There was no further clarification or ongoing dialogue from California Hall or U. Hall to the community who viewed the documentary around these important issues that directly relate to 'culture and governance' questions. Issues coming up now repeatedly. Instead they just went radio silent on both.
Dirks inherited a mess, quagmires all over.
My understanding is that his Assoc. Chancellor is expert in data management (one of them, not sure how many assoc. Chancellors. Dirks has)
His bio includes: "Prior to joining the Chancellor’s staff in 2014, Nils was the founding Executive Director of Social Science Matrix, Berkeley’s new flagship institute for social scientific research. He spent the previous 13 years as an executive at various software and consulting firms, including Salesforce.com and the Monitor Group."

http://chancellor.berkeley.edu/nils-gilman

Yet, we are not hearing anything from Cal Hall on this issue.

Cal Alumni might also like to know if this in anyway affects alum email accounts (as part of CAA membership etc.)

Question:
The decision was made to do this at UC Berkeley based on the breaches at UCLA, but: Did UCLA faculty and staff and leadership voluntarily agree to the same arrangements being implemented there,if so when did it happen at UCLA? and nothing was ever said about it? Isn't the Academic Senate a UC systemwide body?

Finally, to the comment above on NYT, it does not appear to be the case that NYT published the letter or filed or posted a story on this, yet. Just that their reporter was contacted and given the letter.
Right?
That's just initial thoughts, questions...

Chris Newfield said...

@maggie Maggie I would say yes. One commentator has noted that in 2007, the University's Electronic Communication Policy contained the following unambiguous language:

ECP Section IV, "Privacy and Confidentiality," item c, paragraph 3:
In no case shall electronic communications that
contain personally identifiable information about
individuals ... be sold or distributed to third
parties without the explicit permission of the
individual.

the online version is old and may have been changed in light of recent events.

Chris Newfield said...

@cloudminder on the key question of the scale of the program, the Nava letter suggests that it is uniformly systemwide.

Randomly:
the At Berkeley material on Operation Excellence is also priceless and predictive of the disaster it has become.

FB: a fair amount of post commentary has migrated to what seems to be an easier format that people are already "in" -- meaning it doesn't require going to a specific site. I would love to relink these discussions but that's certainly not how FB is set up . .

Anonymous said...

@maggie

No, it is not a Violation of FERPA unless that raw data contains and can be linked to individual persons (not IPA's) which is most likely the case here.

Anonymous said...

I have suspected UCOP of spying on Napolitano's enemies in the student body, faculty and staff since her first day.

bahmi said...

Gee,who would have figured that the former DHS commandant would be part of such a thing? You get what you pay for. Who put JanJan's name in the running for UC President, anyway? Just another ten cent conspiracy theory, eh? Sure it is. Donkey's can fly, too.@Michael Meranze

bahmi said...

@Anonymous
What happened at Berkeley is NOTHING out of today's "ordinary". The "security" state is alive and well and doing its job famously. If only Orwell were alive today.....

Brian Riley said...

@Anonymous (5:10 pm):

It's well known among student activists that the police detail assigned to the UC President keeps dossiers on selected students. They even openly admitted such, during Yudof's reign. They think it's OK to do, since supposedly all who have dossiers are suspected of violating various laws and statutes.

Anonymous said...

http://www.nytimes.com/2016/02/02/technology/at-uc-berkeley-a-new-digital-privacy-protest.html?_r=0

Chris Newfield said...

in the New York Times piece linked above, UC's CIO is cited: "Mr. Andriola emphasized that the program monitored network traffic rather than mining the contents of email messages, for example. “This is not spyware,” he said. In fact, spyware is any programming introduced into a computer network to gather information about a person's activity without their knowledge. It doesn't matter whether it's "only" metadata (which seems not to be the case with the application in question, which can in fact access contents). It's not a good sign that the University's CIO would say that it's not spyware if its main continuous activity isn't to read contents.

Anonymous said...

This is clearly a systemwide problem that needs to be addressed.

For individuals who want to avoid being spied upon, a VPN defeats this surveillance. A VPN will encrypt all your network traffic and send it to a server offsite, where it will be unencrypted and distributed from that offsite server. Responses will return to the offsite server where they will be encrypted and sent to you on campus. These services typically cost a few dollars per month and are widely used in China to get around the government's "Great Firewall" which prevents chinese people from accessing certain web sites.

Anonymous said...

Hi Michael! Winnie Woodhull, UCSD

@Michael Meranze

Anonymous said...

University of California, Office of the President

@Anonymous

Anonymous said...

I think there was some discussion pertinent to this topic at the May 5, 2011 Regents Meeting. The discussion arose in the context of the need to revise the UC Audit Charter to recognize that the U. does not have an unrestricted right to personal emails of employees, etc, even if the emails are done at work on UC computers - (if I remember correctly). So, in other words, it may to questionable as to whether or not the U. would have a legal right to read employees personal emails, even if they do have that technical abilty.

Anonymous said...

@Anonymous University of California Office of the President (referring to Janet Napolitano)

Zahid Hussain said...

@elaine x
Right...

Anonymous said...

How much does that vendor charge, so far, for their 'services'?
Or is that secret, too?
Why secure the whole network when with some finesse [perhaps available free at UC] they could focus on 'sensitive' information?

Chris Newfield said...

@Anonymous yes that is secret too. The firm that UCOP hired, Fidelis Cybersecurity, refused even to acknowledge that it had been hired to this IHE reporter https://www.insidehighered.com/news/2016/02/11/cybersecurity-experts-question-u-californias-handling-network-monitoring-controversy None of the questions about scope and the boundary between external traffic metadata monitoring and content monitoring have been answered, as UCOP spokesperson Steve Montiel maintains wiggle room: "UC spokesman Steve Montiel insists there are no plans to read anyone’s e-mails" http://www.sfchronicle.com/bayarea/matier-ross/article/UC-says-the-cost-of-its-secret-snooping-system-is-6828242.php UC has long had national security systems within its boundaries via the national laboratories. Pending further clarification, it feels to me that these systems and their culture have now become part of everyday campus activity in the form of routine signal monitoring. The refusal to offer further clarification about the program (for example, are all campuses conducting bulk collection of all communications metadata for signals leaving campus?) is part of that culture.

Celia Harrison said...

I have had the Office of the President of UC on my blog over and over. Just before President Obama came to Anchorage Alaska last fall her office and many security agencies and contractors were all over my blog. Then I had three homeland security agents follow me around, but there was nothing to see. That was a waste of money. They wanted me to know they were following me too, it was really weird. So it is clear Napolitano is continuing to work for Homeland Security. In this case I strongly suspect there is a connection to a certain corrupt politician from Alaska who also has connections to Arizona. So of course she is monitoring everyone's email.

Chris Newfield said...

@Celia HarrisonThanks for this info. I'm surprised that president Napolitano's folks aren't trying harder to show she ISN'T still working for HS but really does get the freedom and non-surveillance requirements of an academic environment

Esther Lezra said...

Hi Chris, Esther Lezra here. Thank you so much for doing this extremely important work for us.

Mireview said...

How much does that vendor charge, so far, for their 'services'?
Or is that secret, too?
Why secure the whole network when with some finesse [perhaps available free at UC] they could focus on 'sensitive' information?

http://www.mireview.com/snapchat-spy-app/

Join the Conversation

Note: Firefox is occasionally incompatible with our comments section. We apologize for the inconvenience.