Roosevelt Institute | Cornell University

UC Network Monitoring Sets Troubling Precedent

By Chad StephensonPublished April 3, 2016

Earlier this year, the UC system quietly implemented a new network monitoring program that has quickly raised concerns among students and faculty. In the fight for cybersecurity, should students have a say in how their personal data is handled?
By Chad Stephenson, 04/03/16

Following a recent security breach at UCLA, University of California president Janet Napolitano ordered the installation of an internet traffic monitoring system at all campuses within the university system. This move has proven highly contentious given concerns over surveillance, lack of transparency, and questions of effectiveness. Despite being instructed not to disclose the university system's installation of network traffic monitoring software, faculty members have publicly spoken against the system, and forced the debate into the national spotlight.

Last September, a data breach at UCLA compromised sensitive medical information for up to 4.5 million patients. Despite the enormous magnitude of the breach, UCLA administrators waited two months to notify the public and are offering affected individuals one year of identity theft protection service as compensation. Hackers are increasingly targeting medical institutions to access the troves of sensitive personal data they store. In moving to protect UCLA and the UC system from future cyber-attacks, Napolitano finds herself at the center of a contentious debate about privacy and the rights of individuals to control how their personal data is collected and stored. Since Napolitano left her post as Secretary of Homeland Security to become president of the UC system in 2013, she has been involved in a number of controversies surrounding her decisive leadership style. Napolitano chose to significantly diminish funding for an UC-owned observatory, which was nearly closed before the president reversed her plan for deeper budget cuts. More recently, in response to students protesting tuition hikes, Napolitano was heard saying "Let's go. We don't have to listen to this crap." After Napolitano made the decision to secretly install network monitoring software, one professor complained that Napolitano was failing to honor a tradition of faculty involvement in such major resolutions.

Since the monitoring practices have become public, Napolitano has defended the change, assuring concerned students and faculty that their emails and browsing history are not being reviewed, but that the move is focused on improving cybersecurity. The network monitoring system captures and stores all incoming and outgoing information, including emails and browsing history, for at least 30 days. Regardless of whether that data is being closely monitored, many students are upset that they can no longer guarantee confidentiality to human research subjects, or trust that their communications are truly private. In the 1960s, the FBI surveilled the UC Berkeley student body, concerned that it had become a dangerous source of communist dissent. While the current situation is less extreme, surveillance remains a sensitive subject at Berkeley.

This decision is a direct response to the UCLA data breach. However, security expert Vinnie Liu warns that storing massive amounts of sensitive data may make the UC system a larger target for future attacks, as mass data storage is partially responsible for frequent cyber-attacks on hospitals. Still, universities stored significant amounts of personal data before the implementation of the network monitoring framework, and have thus been targets of cyber-attacks in the past. Given the complex and often confidential nature of providing effective cybersecurity, it will be difficult for the university to convincingly prove the value of the system going forward. Given the large amount of sensitive data stored by the UC system, and its vulnerability to the UCLA data breach, increased cybersecurity measures are not unreasonable. Regardless, Napolitano has set a troubling precedent by failing to involve students and faculty in a discussion of the changes, and by initially attempting to keep the network monitoring secret. Affected parties have a right to know whether their data is subject to new monitoring, and should be entitled to have a meaningful vote on whether they consent to such measures. Going forward, Napolitano and other university presidents should guarantee students an absolute right to privacy (excluding legal, warranted data searches), provide reports quantifying the effectiveness of any network monitoring systems, and take a firm stance against unjustifiable spying by government entities.