UC Data Monitoring System Sparks Privacy Debate

Several UC professors have expressed concern over the threat to privacy posed by a data monitoring system installed by the University of California Office of the President (UCOP) last summer at all 10 UC campuses without faculty consultation. The system was installed to protect UC campuses from cyber attacks.

The data monitoring system, called Fidelis XPS,  was programmed by Fidelis Cybersecurity. According to the Fidelis Cybersecurity site, the system “allows us to ‘see deeper’ into applications and, in particular, the content that’s flowing over the network.”

UCOP moved to implement a new cybersecurity system in July 2015, shortly after a major cyber attack on the UCLA Health System. A hacker was able to access private areas of UCLA Health’s network, including personal information, like the names, addresses and social security numbers of 4.5 million individuals.

In a statement on July 17, 2015, President Janet Napolitano, former Secretary of Homeland Security, explained that “an external cybersecurity group will assess our security posture across the UC system,” and that “the team will review and validate ongoing internal efforts and assess emerging threats and potential vulnerabilities.”

Among the protocols devised by the team was mandatory cybersecurity training for all UC employees for the first time.

Knowledge about the actual system, however, first circulated after UC Berkeley Professor Ethan Ligon, one of the faculty members of Berkeley’s Senate-Administration Joint Committee on Campus Information Technology (JCCIT), sent an email to faculty members on Jan. 28, explaining that the new system “is capable of capturing and analyzing all network traffic,” which “can be presumed to include your email, all websites you visit, all the data you receive from off campus or data you send off campus.”

Ligon and other faculty members of the JCCIT were also concerned that this system was installed by the UCOP in secret, without consulting faculty members, including the IT and security experts on campus. Ligon made clear that he and other members of JCCIT view this “as a serious violation of shared governance and a serious threat to the academic freedoms that the Berkeley campus has long cherished.”

However, David Kay, Professor of Computer Science and chair of the University Committee on Academic Computing and Communications (UCACC) at UC Irvine, explained in a letter addressed to the UC Academic Senate on Feb. 1 that “neither message content nor browsing activity [are] monitored” by the new system.

In an email to the New University, Kay further explained that the Fidelis XPS system can vary for various clients, but the one specifically installed at UC campuses complies with the University of California Electronic Communications Policy, which ensures that “any unavoidable examination of electronic communications … shall be limited to the least invasive degree of inspection.”

Kay explained that the UC version has access to two categories of information: “‘metadata’ for all transmissions from UCI sites to non-UCI destinations and vice versa” and “the complete contents of transmissions that match known patterns of malware or other attacks.”

This “metadata” includes the IP addresses, times, dates and sizes of transmission for 30 days, and then is subsequently deleted. This data is temporarily stored so that it may be examined only after discovery of a threat, to learn how long this threat has been posed.

“Note that encrypted transmissions, which includes https, VPN and much modern email, will not be recognized or captured at all,” said Kay.

Kay also added that the UCACC had a meeting with UCOP IT executives in Oakland on Feb. 1, and that the UCACC was satisfied with the new system because it “did not extend to the contents of everyday faculty communications.”

Like Ligon and the other professors at Berkeley, Kay agrees that the UCOP should have informed and worked with faculty in addressing cybersecurity on UC campuses. Kay understands that the UCOP had to act quickly after the cyber attack last summer, but he believes that there should have been more effective communication.

“There may have been explanations for the lapses — an emergency situation, the threat of lawsuits, new people in management positions who weren’t really familiar with what shared governance means — but they were lapses and the communications need to be much better in the future,” he said.

Tom Andriola, the systemwide UC Chief Information Officer and David Rusting, the systemwide UC Chief Information Security Officer, are now overseeing the cybersecurity issues.

“They have been very accommodating, offering to conduct briefings about the program to interested UC groups,” said Kay.

In the future, Kay hopes that the UCACC will seek to encourage designers of software systems to involve students and faculty who use these systems from the beginning, so that these programs are more efficiently tailored to their needs. The UCACC also seeks to update UC’s privacy and data governance policies, which were last revised in 2005, so that they better reflect current information technologies.