Advertisement

SKIP ADVERTISEMENT

At Berkeley, a New Digital Privacy Protest

Students seen through the window in the student union at U.C. Berkeley. The school is considered a bastion of academic freedom and computer science talent.Credit...Elizabeth D. Herman for The New York Times

After hackers breached the computer network of the U.C.L.A. medical center last summer, Janet Napolitano, president of the University of California, and her office moved to shore up security across the university system’s 10 campuses.

Under a program initiated by Ms. Napolitano, the former secretary of Homeland Security in the Obama administration, the university system began installing hardware and software in its data centers that would monitor patterns of digital traffic, like what websites are being visited by faculty and students, or telltale signs of cyber intruders. The program, which was begun with little notice or consultation, soon rankled a group of professors at one campus, Berkeley, which has a deep-seated ethos of academic freedom as the cradle of the free speech movement in the 1960s.

In recent days, the professors have begun speaking out publicly about the issue. “My primary concern is monitoring the private information of students and faculty in secret,” said Eric Brewer, a professor of computer science at U.C. Berkeley. “I’m sure there’s good intent. But I can’t see a good reason for doing it.”

The resistance from Mr. Brewer and other professors at Berkeley, which is now becoming a public debate with the university system’s administrators, raises the issue of how to define academic freedom in the age of online attacks. While some of the professors criticize the monitoring program as one that invades their privacy, the University of California has responded that “privacy perishes in the absence of security.”

It’s part of the larger challenge that fast-moving technology poses for social values. Every day, corporations, government agencies and universities must balance the need for computer security with the expected right to privacy of the people who use their networks. In different settings, there are different rules, expectations and levels of threat.

“We’re really just starting to sort out the risks and rules for digital security and data collection and use,” said Elana Zeide, a privacy expert at New York University’s Information Law Institute.

The Berkeley dispute stands out because of the place and personalities involved. U.C. Berkeley is not only a leading producer of computer science talent, but also a champion of the free speech movement, so any surveillance is regarded as particularly jarring. For her part, Ms. Napolitano, who joined the California university system in 2013, is no stranger to computer security policy, having served four years as the nation’s Homeland Security chief.

The faculty group of 11 professors critical of the monitoring program said the university system enacted the program largely in private, with little transparency about what data is being collected. The monitoring could compromise and constrain academic freedom to research topics that some find objectionable, among other repercussions, they said. In a formal meeting with the University of California’s chief information officer in December, the professors asked for the program to be halted.

Image
“The issue here is the lack of transparency and the lack of shared governance,” said Greg Niemeyer, director of the Berkeley Center for New Media, about a dispute over digital-traffic monitoring at the university.Credit...Elizabeth D. Herman for The New York Times

On Jan. 19, Ms. Napolitano’s staff responded in a five-page reply declining to do so; the letter was emailed last Friday to the entire Berkeley faculty and others. The University of California defended the security initiative as a measured step under the circumstances, and added that “for cybersecurity purposes, a risk to what appears to be an isolated system at only one location may in some circumstances create risk across locations or units.”

The university said Ms. Napolitano was not available for an interview. Steve Montiel, press secretary for the president’s office, said he was not aware of any complaints from other campuses about the monitoring program.

The roots of the dispute stretch back to the attack disclosed last July at the UCLA Health System, which potentially put the private information of 4.5 million patients at risk. In an interview on Monday, Tom Andriola, chief information officer of the University of California system, said after the medical center attack the system administrators had to “move swiftly” to insure against similar breaches.

Some faculty members, he acknowledged, may have understandably felt there was too little consultation. But Mr. Andriola said that “moving forward the faculty will be deeply involved.”

Last Oct. 27, the president’s office issued a short statement describing the new data-tracking program, called the Coordinated Monitoring and Threat Response Initiative. The program’s hardware and software are being supplied and run by an outside contractor, Fidelis Cybersecurity. The president’s office has set up a Cyber-Risk Governance Committee to oversee programs like the data center monitoring, which includes a Berkeley representative, though not a tenured faculty member.

The faculty members learned about the monitoring program from people who knew it was being put in place, but who asked not to be identified because they were not authorized to disclose the information. Once alerted, the faculty group became concerned.

Just what data is being collected and stored in the monitoring program is unclear. The president’s office has not explained the data collection and data use practices of the program, the Berkeley professors said.

“The issue here is the lack of transparency and the lack of shared governance,” said Greg Niemeyer, director of the Berkeley Center for New Media.

Lawsuits stemming from the U.C.L.A. breach last summer prevent the president’s office from disclosing details of the monitoring program, according to Rachael Nava, chief operating officer of University of California system, who signed the Jan. 19 letter. In the letter, she said the legal constraint was “regrettable” because she could not share additional information that “might correct some of these misimpressions.”

Image
Janet Napolitano, who was secretary of homeland security in the Obama administration and is now president of the University of California, has moved to shore up security across the university system.Credit...Richard Hartog for The New York Times

Mr. Andriola emphasized that the program monitored network traffic rather than mining the contents of email messages, for example. “This is not spyware,” he said.

The standard practice at Berkeley, the professors said, had been to immediately delete the so-called log files that show the websites a person had visited or the origin and destination of email traffic. The exception, they said, was if a pattern of network use signaled the suspicion of data theft or a hacker attack. So in the past, they said, the monitoring in Berkeley data centers was light-touch, and targeted.

The worry, Mr. Niemeyer said, is that if network traffic logs are stored, they could be subject to subpoena. An example, he said, might be if a foreign student from China or some other autocratic nation is visiting the websites of dissidents or emailing them.

“Before, we could just say that we just don’t have the records,” Mr. Niemeyer said. “Now, it’s not clear we wouldn’t or the third-party company wouldn’t. That is the kind of scenario that is not unlikely.”

Other examples, he said, might be constraints on academic freedom to research topics that some object to — say, pornography or Satan worship. Such inquiries, in theory, could become the target of congressional investigations into the use of taxpayers’ money that supports a major public university like Berkeley.

In December, the Berkeley faculty group met with Mr. Andriola to voice their concerns and call for a stop to the monitoring program. In the Jan. 19 letter from Ms. Nava, she stressed the “seriousness of the threat.” The digital attacks can sometimes jump from one network to another, she said.

The Berkeley professors remain unpersuaded. Corporations often monitor the online behavior of their employees, but American universities have a different tradition.

“It’s a pretty settled point that universities go out of their way not to monitor students, faculty and staff,” said Jeffrey MacKie-Mason, the university librarian at Berkeley. “Yes, sometimes security concerns trump privacy. But it’s something we should have an informed discussion about.”

Mr. Andriola said he welcomed a dialogue with the university faculty as a whole. “This is not a technology issue,” he said. “It is about how to strike a balance between being a very open university while still protecting the assets of the university from nefarious actors.”

A correction was made on 
Feb. 2, 2016

An earlier version of a headline with this article misidentified a campus at which faculty members have raised concerns about a digital monitoring program. As the article correctly notes, is the University of California, Berkeley, not U.C.L.A.

How we handle corrections

A version of this article appears in print on  , Section B, Page 1 of the New York edition with the headline: A New Digital Privacy Protest. Order Reprints | Today’s Paper | Subscribe

Advertisement

SKIP ADVERTISEMENT