Sunday, November 16, 2008

I Own That Computer Damnit!

In a recent installment of As the Tyrant Turns, Graham writes about the need for tough computer security measures in universities to defend against myriad cyberworld threats. He dismisses the privacy concerns which the installation of firewalls and "protective software" have engendered in the professoriate as misplaced. And Graham ends his post with a warning to faculty everywhere that Cyber Fortress Academe is the future.
We can expect to see heightened awareness of this issue, and stronger efforts on the part of university leaders to batten down the hatches
Who's right the security obsessed Graham or Graham's privacy obsessed faculty strawmen? That's a hard question to answer based on Graham's presentation which is heavy on frightening computer security tidbits, but light on the particular security measures which the professoriate has opposed on privacy grounds.

Graham hints that firewalls have been opposed by faculty on privacy grounds. Is that true at Penn State? A search of the University Faculty Senate Web site reveals no discussion of network firewalls. None. That doesn't mean that a few faculty members haven't expressed concerns, but it hasn't risen to the level of public discussion. On the other hand, students were outraged when a firewall was put up in dormatory networks a few years back. But that is a different issue.

Graham also talks about opposition to some generic "protective software" by the faculty. He could be referring to almost anything or nothing, though it is likely that he has in mind Penn State's new initiative to place scanning software on all faculty computers which will look for personal identification data such as Social Security and credit card numbers.

Let's take a closer look at this initiative and the faculty opposition to it to better understand this issue.

Details of the scanning initiative can be found here, but it is really easy to understand. Proventsure scanning software will be installed on all University computers including faculty desktop and laptop machines. The software will look for files with personal identification data, such as social security and credit card numbers, and create a log of the file paths of any files found to have such data. The logs will be sent via the network to IT staff for analysis and eventual action. The computer users will not get to see a copy of the log file.

Does this violate the user's privacy? To answer this, ask yourself if you'd give a third party access to your computers file paths. For me the answer is clear. This scanning constitutes an invasion my privacy.

Further, consider the precedent that this sets. University computer security policy (See AD20, ADG01 and ADG02.) allows the IT staff to install scanning software on computers. Scanning software is not defined in the policy, but typically one thinks of anti-virus or anti-spyware software which does not report results to third parties without the permission of the user. Once installation of the Proventsure software is mandatory the definition of scanning software under AD19 will implicitly include software which reports information back to third parties; this will greatly expand what the University may do under the policy and it will weaken the the faculty's claim to the expectation of privacy on their University computers. This is a terrible precedent.

This past September the Senate Council and the University Faculty Senate were briefed on the new scanning initiative by members of the IT staff. Associate Professor of Computer Science and Engineering, and co-director of the Systems and Internet Infrastructure Security Laboratory Patrick McDaniel gave a rejoinder (Scroll down to the page numbered 12.) at the UFS meeting in which he opposed the transmission of the log files to third parties for analysis. He surveyed colleagues at 20 top computer science schools and found that none of the 17 schools that responded, which included MIT, Berkeley and CMU, did mandatory scanning for personal identification data and sent logs to third parties for analysis on faculty computers. Here is a sample comment from Berkeley computer scientist David Wagner ,
"It strikes me that this requirement [to scan computers] raises serious concerns. Forcing faculty to install software on their machines strikes me not only as an invasion of privacy, and one whose security justification seems dubious at best (and potentially harmful to security at worst), but also one that infringes upon academic freedom and other legitimate rights of the
faculty and student body. To put it bluntly, if UCB proposed this, I would be up in arms.
McDaniel did not oppose the mandatory installation of Proventsure software provided that only the faculty users had access to the log files produced by the software. This seem to me to be a reasonable position.

Why did Penn State decide to implement a draconian scanning policy? It's hard to determine on the basis of IT staff's Senate Council and USF presentation which were chock-full of frightening tales of cyber threats and stories about the personal identification breaches at Penn State and elsewhere, but without any indication of why the type of scanning they are conducting is the only possible response to these threats.

Based on the rather vague staff presentation and local news reports the likely impetus for doing something about the personal data breaches were two breaches which occurred at Penn State last academic year which resulted in the exposure of slightly over 9000 individuals personal identification information. In one breach, a researcher inadvertently posted a data set to the Web which contained the personal identification data of 8400 Marines. In the other breach, a professor's laptop which contained the personal identification data of 667 alumni was stolen. Another security initiative, the full encryption of laptop hard drives and other portable devices, would have prevented the second of these loses. Hence events of this type do not justify the scanning initiative. In the first case, the researcher posted the data intentionally to his personal Web site unaware that the file contained personal identification data. Obviously mandatory scanning could have prevented the second breach, but other less draconian procedures would also have worked. For example, the University might require that all data sets which contain information on human subjects must be scanned before they may be analyzed.

The IT staff also tried to make the case that mitigation of personal data loss is costly in both of their presentations. They could have done this by citing the cost of the mitigation for the 9067 compromised individuals from the previous year, but they chose instead to use a dubious and almost certainly high estimate of the cost for mitigation per individual of about $150-under questioning from a senator at the second presentation they admitted that the estimate was unlikely to be reasonable-and at the Senate Council presentation they pointed out the cost for mitigation of 8000 individuals (the Marines?), based on this estimate, would be over million dollars. Scary stuff... but what was their actual cost for mitigation undertaken by Penn State? Whatever it was, it was probably not scary enough.

Evidence was also presented to both the Faculty Senate and Senate Council to suggest that many University computers have files on them which contain personal identification data. They noted that scans of 3168 computers in two colleges over the summer yielded 1619 computers , or 51%, with personal identification data on them. This really isn't a very meaningful statistics. One would want to know the the average amount of personal identification data on these computers and how that number breaks down within various types of computers, such as department servers and the desktop and laptop computers of individual faculty. How many of the computers which were found to contain personal identification data contained only personal identification data of the user?

So the IT staff didn't make the case for these intrusive scans. Why implement the scans? Is it simple over reaction by the staff or is somthing more sinister at play?

I think that over reaction by the staff alone can be ruled out. Graham stood behind the initiative explicitly in his remarks before the September UFS meeting and implicitly in his blog. Therefore I think that it is a safe bet that this initiative was cleared by Old Main and the University Council's office before it was announced.

Further, Old Main has a habit of over reacting to problems at the expense of the faculty or students. For example, when it came to light that the University had a rehabilitated convicted murderer on the faculty unbeknownst to anyone the response was to institute background checks for all new faculty hires. When an administrator usurped the student governments authority to recognize student clubs by rejecting a christian group's application for student club status lead that group to file a lawsuit, the University took away the student government's right to recognize student groups.

Eventually Graham schemed to eliminate the student government entirely and replace it with a "student advocacy group" without any delegated powers. Which points to another fact of life under Graham which may be relevant here, he has gradually consolidated power in Old Main pushing students and faculty to the margins.

Graham also has the habit of putting the interests of powerful outside groups ahead of students and faculty. In his capacity as co-chair of Joint Committee of Higher Education and Entertainment Communities, he enabled the RIAA legal war against students who engage in P2P file sharing.

Today Graham chairs the National Security Higher Education Advisory Board, a fact that he mentioned in his remarks on scanning to the UFS in September. Hence it may be that he want to help this group set a precedent for low expection of privacy on behalf of faculty everywhere. Or as the IT staffer put it at the Senate Council meeting,
Improving computer security is a continuous process that will lead to a cultural shift. We will
protect our information assets as routinely as we protect our physical property. The first step is to locate personally identifiable information on Penn State computers. We will work with the IT
staff in all colleges and campuses to scan computers (from laptops to servers)...

What cultural shift do they have in mind? Clues can be found in both a Collegian article on the scanning initiative and Graham's blog post. Here is Graham.
Even when the University has purchased the computer or electronic device, and even when a University network is used, many users consider their device to be private property.
They want the faculty to stop thinking of the computers they use everyday as their own computers and to stop thinking that they have any expectation of privacy on these computers or the University networks.

Faculty at other universities should be aware that the precedent set at Penn State may be used by administrators at their schools to justify the diminution of their privacy expectations.

Technorati Tags: , , ,

Powered by ScribeFire.

1 comment:

shinyhobo said...

This scanning initiative is a prime example of top-down project implementation that leaves everyone rubbed the wrong way. The University wants to protect sensitive data, good, I'm all for that. To bed down with Provensure without a formal RFC process was hasty. To treat faculty, staff, and students like children in this situation fosters an ugly, distrustful culture across the University. Additionally, the University cannot enforce or compel compliance for a vast number of computers that log into PSU networks. If their intention was to reduce the amount of sensitive info that could be potentially breached, their heavy handed methods are going to prove antithetical to that goal.