Site Presented By
Sunday, Jul 12, 2009
The only way to defend student privacy against USA-PATRIOT subpoenas, says University of Michigan public policy professor Virginia Rezmierski, is for university IT departments to stop saving their logs. You can't subpoena information that doesn't exist. Rezmierski is the lead author of a 2001 National Science Foundation study of network monitoring and logging practices on college campuses.
"I don't think this study made people very happy when it came out," she says. "A lot of our findings were very disturbing." She describes interviewing a college systems administrator for the study who told her that he had singled out one student and periodically logged everything he did on his computer "because [the student] was really competent with network operations and he seemed a suspicious type."
She and her co-researchers also discovered that many schools routinely kept records of everything people did on campus networks. Worse, they saved this information without stripping personal identifiers out of it. "People don't realize there are different levels of monitoring and logging," Rezmierski says. "You can save logs in order to analyze them for technical and security purposes without saving personal information." When schools must save logs, she emphasizes, it's crucial that they remove any markers that connect their data to particular individuals.
She adds that if colleges don't have policies regulating who has access to such logs, students are left vulnerable to censure by politically motivated administrators who deem certain students or student groups "suspicious" enough to monitor.
Perhaps most disturbing to critics and privacy advocates is the fact that schools are responding to subpoenas from the music recording industry with as much alacrity -- and as many privacy-invading techniques -- as they are to subpoenas related to national security. In their efforts to ferret out pirates, administrators are violating their own campus privacy policies, treating students who use P2P software the same way they would treat potential terrorists.
Earlier this year, administrators at Penn State decided to hunt down and punish students on the campus network who were using Direct Connect, a program that can be used to trade music files. Although Penn State promises students that their computer use won't be monitored, administrators tracked down over 200 students using Direct Connect in April and shut down their campus network accounts. Contrary to its expressed policy, the school was retaining logs of network activity that could be traced to individual students.
Penn State's vice provost of information technology, Russell Vaught, refused to say how the students had been identified, explaining only that his office had "acted within the law." But undergraduate Mike O'Connor, director of technology affairs for Penn State's undergraduate student government, showed me an e-mail he'd received from Vaught that acknowledged university techs had watched the online activities of students to find out which ones were using Direct Connect. Vaught's office may not have broken the law, but O'Connor says that he and other students believe that "Penn State violated its own policy in using these methods."
For a few months last year, the University of Wyoming used a program called AudibleMagic to look at the content of every piece of data traveling over the campus network suspected of containing copyrighted material. Administrators could gain access to any student's private data if they suspected he or she might be pirating music. Lambasted in the press, administrators stopped using the program in May. Robert Aylward, the vice president of information technology at the university, says that it no longer uses AudibleMagic and has switched to a program called Packeteer, which tracks data flow on the network but doesn't look at the content of that data.
However, an AudibleMagic rep says that other universities are adopting its technology.
There are countless products and services like AudibleMagic on the market, all enabling network administrators to place students under surveillance in the name of copyright protection, network monitoring and national security. On college campuses today, the question isn't whether your computer activity is being watched; it's who might use your private information against you.
