Berkeley, CA- Janet Napolitano, the former United States Secretary of Homeland Security under President Barack Obama and current president of the University of California, is under scrutiny for putting UC employees under surveillance under the guise of security.
The former DHS boss who once said she doesn’t use email is now being accused of authorizing a monitoring system to keep track of the communications, file routing, and web surfing of UC employees. The UC system includes Berkeley, University of California- Los Angeles (UCLA), and other campuses across the state. The scandal was reported by University of California- Santa Barbara (UCSB) professor Christopher Newfield after the San Francisco Chronicle broke the story.
According to Newfield, who published the internal communications between faculty members, the university’s campus information technology committee was banned from discussing the program with members of the staff. Things changed the moment the committee decided to break the rules and go public.
Per the two UC Berkeley faculty communications published by Newfield, the installation of the surveillance program was “ordered” by Napolitano. But UC’s Chief Operating Officer claims “UC policy ‘forbids the university from using such data for nonsecurity purposes.’”
Once faculty members pressured Napolitano, her office defended its actions by “relying on secret legal determinations and painting lurid pictures of ‘advanced persistent threat actors’ from which we must be kept safe,” Ethan Ligon said. Ligon is one of six members of UC’s Senate-Administration Joint Committee on Campus Information Technology. While UC officials have promised faculty their privacy won’t be breached, Ligon says “systems designed to do exactly that” are being implemented under their watch.
According to Techdirt’s Tim Cushing, the implementation of a surveillance program under the assumption that surveillance will keep UC safe breaks the school’s privacy policies, precisely because Napolitano is incapable of “guaranteeing abuse of this surveillance will never happen.”
Despite the faculty’s opposition and request for more information, Napolitano’s office failed to explain why it decided to keep the program a secret, shunning most of the UC staff from important details pertaining to the breach of their privacy.
Napolitano’s office also failed to disclose the name of the third party keeping track of the staff’s communications.
Here’s an email from January 28, 2016 released by Newfield that shows UC Berkeley faculty discussing Napolitano’s decision to keep the program a secret:
“UCOP [University of California, Office of the President] would like these facts to remain secret. However, the tenured faculty on the JCCIT [Joint Campus Committee on Information Technology] are in agreement that continued silence on our part would make us complicit in what we view as a serious violation of shared governance and a serious threat to the academic freedoms that the Berkeley campus has long cherished.
“Some salient facts:
“- The UCOP had this hardware installed last summer.
“- They did so over the objections of our campus IT and security experts.
“- For many months UCOP required that our IT staff keep these facts secret from faculty and others on the Berkeley campus.
“- The intrusive hardware is not under the control of local IT staff–it sends data on network activity to UCOP and to the vendor. Of what these data consists we do not know.
“- The intrusive device is capable of capturing and analyzing all network traffic to and from the Berkeley campus, and has enough local storage to save over 30 days of *all* this data (“full packet capture”). This can be presumed to include your email, all the websites you visit, all the data you receive from off campus or data you send off campus.”
As a greater number of staff members learned about the program in December, staffers were told the monitoring would cease. But on December 21, the committee was informed that UCOP decided to keep the program. JCCIT members then drafted a letter and sent it to the school administration and the New York Times. The school’s executive vice president, Rachel Nava, replied, urging JCCIT to “not distribute” the letter’s contents, invoking “attorney-client” privilege.
As JCCIT members replied with questions regarding the client — and why the letter had to remain confidential — Nava sent a revised version of the letter without the confidential language. The revised letter stated:
“All: Please accept my apologies with regard to the confusion on the attorney client privilege language on the letter. It was a clerical error and was not intentional. Please find a revised version of the letter with the language removed.”
Here’s a quote from the revised letter sent from Nava:
“With respect to privacy, the letter and structure of the University’s Electronic Communications Policy (ECP) reflect the principle that privacy perishes in the absence of security. While the ECP establishes an expectation of privacy in an individual’s electronic communications transmitted using University systems, it tempers this expectation with the recognition that privacy requires a reasonable level of security to protect sensitive data from unauthorized access.”
To Tim Cushing, Nava’s statement is incorrect.
“Privacy does not ‘perish’ in the absence of security,” he wrote.
“This conflation of the two is ridiculous. If a malicious party accesses private communications, that’s a security issue. If an employer accesses these communications, that’s a privacy issue. Claiming to value privacy while secretly installing monitoring software (and then lying about removing said software) only serves to show the university cares for neither. By adding a third party to the monitoring process, the university has diminished the privacy protections of its staff and added an attack vector for ‘advanced persistent threats.’ It has effectively harmed both privacy and security and, yet, still hopes to claim it was necessary to sacrifice one for the other.”
According to Nava’s letter, “Public Records Act requesters may seek far more intrusive access to the content of faculty or staff records than what the ECP permits for network security monitoring.” She claimed individuals making public records requests, a right protected under California’s constitution, is the real threat to privacy.
“The limits on the University’s own access to electronic communications under the ECP do not apply to Public Records Act requests,” she said.
While Napolitano appears to have decided to maintain this program for security purposes, the school’s tech committee believes the IT staff is perfectly capable of handling the network’s security and privacy.
To Cushing, monitoring employees’ use of communications equipment is one thing, but what UC is doing is very different:
“You can’t install the software secretly, swear certain employees to secrecy, not tell anyone else until the secret is out in the open, promise to roll it back and then secretly decide to do the opposite, etc. And when challenged, you can’t play fast and loose with ‘security’ and ‘privacy’ as if they were both the same word spelled two different ways.”