The discovery that the university is monitoring UC Berkeley network traffic has sparked outrage among faculty members who see such undisclosed surveillance as a significant threat to privacy.
News of the monitoring spread Thursday afternoon when Ethan Ligon, campus associate professor and one of six members of the school’s Academic Senate-Administration Joint Committee on Campus Information Technology, sent out an email to the campus College of Natural Resources’ faculty that alerted members to the installation of a powerful monitoring device in the campus data center.
“The intrusive device is capable of capturing and analyzing all network traffic to and from the Berkeley campus, and has enough local storage to save over 30 days of *all* this data,” Ligon wrote in the email. “This can be presumed to include your email, all the websites you visit, all the data you receive from off campus or data you send off campus.”
When campus integrative biology professor Robert Dudley received Ligon’s email, it was the first he had heard of the surveillance, and it was a “bombshell.”
“It sounds like a cover up to me. It’s really rare on a campus like Berkeley to have a true secret,” Dudley said. “Thus far, we’ve had zero transparency.”
Several UC Berkeley faculty members first heard about the ongoing monitoring in early December from campus information technology staff who were instructed by the university to keep the information confidential. These staff pointed out the device to associate professor of practice of art Greg Niemeyer because they felt “sufficiently uncomfortable” with the lack of transparency.
Niemeyer visited the campus data center located in Warren Hall to see the installed device for himself and identified the hardware as a product sold by the company Fidelis Cybersecurity. Few people are privy to exactly what the system is currently doing or the types of information it collects — one of the many ambiguities around the university’s actions that faculty say is cause for concern.
“Right now we don’t know, we can’t ask and we can’t find out,” Niemeyer said.”The whole operation is covert, and we can only assume from the hardware we see that it’s extremely expansive.”
According to Fidelis’ website, the company aims to help organizations reduce the time it takes to detect and resolve cybersecurity breaches. It equips its customers with products that rapidly analyze network traffic and record data such as domain name systems and website URLs so, in the event of an attack, organizations can examine how any stage of a breach happened after it occurred.
“These appliances, depending on how they are configured, can be privacy doomsday machines,” said campus law professor and faculty director of the Center for Law and Technology Chris Hoofnagle in an email.
He said similar devices either have the capacity to intercept and inspect encrypted communications or automatically analyze the contents of communications — meaning that such devices could examine campus emails.
On Monday, Nils Gilman, UC Berkeley cyber-responsible executive, and Ben Hermalin, professor of economics and chair o
f the Academic Senate, sent out UC President Janet Napolitano’s statement responding to faculty members’ intensifying public dialogue on the situation.
“We create, collect, store, and use valuable information about our research and discoveries, our employees’ personnel information, our students’ educational records, and more,” Napolitano said. “These attacks pose a serious risk to individual privacy, to the valuable intellectual property we create, and to our financial position.”
Faculty concerns surface
On Jan. 19, after faculty members reached out to the University of California Office of the President to express concerns about the equipment, Rachael Nava, UCOP executive vice president and chief operating officer, responded to clarify the rationale for the device.
In July of last year, UCLA Health announced that it had been penetrated by a serious cyber attack in which hackers accessed areas of the network that contain personally identifiable information — such as Social Security numbers and medical record numbers — for 4.5 million patients. The university is currently defending 17 class action lawsuits demanding millions of dollars in damages as a result of the breach.
Nava, in her letter to faculty, explained that the attack was characteristic of an Advanced Persistent Threat actor, or APT, which are organized, sustained and highly coordinated cyber attacks, making them difficult to detect and extremely destructive.
After monitoring began in August 2015, the university issued a new cybersecurity policy online. The coordinated monitoring policy asserts that from “time to time, if a serious cybersecurity threat arises that may potentially impact multiple campuses, the Office of the President may direct campuses to coordinate security monitoring, investigation, and threat remediation activities.”
The policy is phrased in a very hypothetical fashion, Niemeyer said, which belies the university’s extensive, current and ongoing monitoring.
What troubles Hermalin and other faculty members is that the university’s monitoring activities were not elucidated until Nava’s letter. University officials initially did not acknowledge the monitoring until concerned faculty met with UC officials including Chief Information Officer Tom Andriola on Dec. 21.
Hermalin said the Dec. 21 meeting seemed productive to him, as UC officials indicated that the monitoring would soon cease and the university would publicly disclose the details of its surveillance activity.
On Jan. 12, however, the Joint Committee on Campus Information Technology learned from campus Associate Vice Chancellor for IT and Chief Information Officer Larry Conrad and other officials that the university had decided to continue the monitoring without disclosing details of it to students. At that point, some tenured faculty decided to draft an open letter circulated to the New York Times and to campus and UC officials. A week later, Nava’s letter was written in response to this open letter.
“(Nava’s letter) was a step in the right direction,” said campus industrial engineering and operations research professor Ken Goldberg. “But it didn’t go far enough.”
The monitoring does not violate any rules outlined in the university’s Electronic Communications Policy. Indeed, the policy expressly permits routine analysis of network activity for purposes such as ensuring the security and reliability of UC electronic communications. It also allows analysis of the network traffic itself to confirm malicious or unauthorized activity that could harm the network or devices connected to it.
Questions of communications
Ligon noted that “back doors can be used for perfectly legitimate reasons.” He added that it is not the device’s presence that is infuriating, but rather the secrecy with which the university has gone about implementing this “back door” in the campus data center.
“The president of the system is not the dictator,” Hermalin said. “She’s supposed to consult with campuses, with faculty.”
Hermalin takes issue with what he sees as violations of informal principles central to an institution like the University of California — shared governance and open communication.
Napolitano notes in her statement that a cyber risk committee, which includes a representative of the university’s faculty senate, has stayed informed of the cybersecurity measures taken over the past couple months.
The bottom line for the university, according to university spokesperson Kate Moser, is that the measures being taken aim to protect the security of the entire system. A single campus or unit at risk could pose risks to units across the UC system, she said.
“Unfortunately, many have been left with the impression that a secret initiative to snoop on faculty activities is underway,” Napolitano said in her Monday statement. “Nothing could be further from the truth.”
To Niemeyer, perceived privacy presents a threat to academic freedom. Students often explore the Internet confidently with little knowledge that a third-party can analyze the online trail they leave, he said. Niemeyer noted that the system has the capacity to look at DNS logs, which provide information on what websites individuals have looked at. He said this kind of “perceived privacy” mindset in which students are operating in represents a trap.
“I think most faculty appreciate that there’s a need for security,” Hermalin said. “What’s objectionable to faculty is when monitoring takes place in secret.”
If a subpoena were issued against an individual who used the campus network, the university would have to provide that collected data, Niemeyer said.
“If you were working in a company … you wouldn’t have a right to say, ‘That’s my personal research.’ … But a university is a very different organism and it serves society in a very different way,” Niemeyer said. “It’s a delicate and rich process and one we need to protect.”
Policy prohibits the university from using the data for nonsecurity purposes, and aggregated data is stored for a limited period of time and isolated in a secure system, after which it is forensically disposed of.
Nava’s letter assures faculty that the university’s network traffic analysis takes a layered approach — a privacy-enhancing measure that sets restrictions on the type and amount of data reviewed depending on the type of threat — when appropriate.
Hoofnagle said layered review is good, but that it could be the case that the device itself might automatically decide to examine traffic content, depending on its configuration.
Although university employees are restricted from disclosing personal data found in the course of performing network security duties and are subject to disciplinary measures if they violate such rules, the policy makes an exception for instances where an employee comes across obvious illegal activity.
The future of monitoring
The UC system has increasingly become the target of Advanced Persistent Threats by virtue of the fact that such academic research networks contain valuable data, according to Nava’s letter.
Napolitano thus began a series of systemwide actions in subsequent months to “strengthen the University’s ability to prevent, detect, and respond to such attacks,” Nava wrote.
In recent years, the university has suffered other breaches, including a February 2015 data breach of UC health insurer Anthem, in which hackers accessed a database housing the personal information of 80 million people. At UC Berkeley specifically, two data breaches — one in December 2014 and one in April 2015 — rendered nearly 2,000 students, family members and campus employees’ Social Security numbers vulnerable.
Hoofnagle said the university may feel forced into using the appliance in order to do damage control in the wake of significant security breaches, and now that the device is up and running, it will continue to detect more APTs, which could make it difficult for the university to justify switching it off.
“Some of these appliances can even detect content and stop the message from being sent — a great feature to stop APTs but one that could also be employed to quash academic freedom,” Hoofnagle said in an email.
Overall, Hoofnagle said, the university’s attempt to harmonize the system’s security is a plea to reduce protections implemented by individual campuses. Hoofnagle suggested that UC Berkeley consider other approaches, such as reducing the number of systems that are CalNet-connected or the adoption of two-step verification systems.
When contacted for an interview, campus director of telecommunications Michael Green replied in an email that explicit instructions from UCOP Office of General Counsel prevented him from speaking on the subject.
“I’m sorry, but UCOP has been very clear about what may be disclosed with respect to network monitoring,” Green wrote.
Faculty members plan to hold a forum to discuss the surveillance measures Tuesday.