Don't look now, but the dean is watching

Pressured by the double whammy of feds looking for terrorists and the music industry chasing file sharers, universities are keeping a close eye on student Internet use.

Published November 12, 2003 8:30PM (EST)

Last March, a protest against arms manufacturer Raytheon at the University of New Hampshire was derailed by campus administrators who had been covertly monitoring the e-mail list of a student group called the Peace and Justice League. According to UNH undergraduate Rob Wolfe, the group was making plans to protest Raytheon's presence at a UNH job fair. Wolfe says that "there are no campus administrators on the [e-mail] list," but somehow the vice president of student affairs managed to get a copy of a private e-mail about the protest.

"Raytheon canceled their appearance literally at the last minute," he says. "It's unclear whether this was connected to the e-mail leak, but it's certainly atypical of Raytheon not to follow through on a campus appearance." A spokesperson for Raytheon refused to comment on whether the company had canceled its appearance because of the protest, but did acknowledge that the company skipped the job fair and instead met individually with students who had made appointments.

The idea that university administrators are reading private e-mail might seem distinctly Big Brotherian, but the practice is increasingly commonplace. When students access the Internet via university equipment, everything they do -- from sending e-mail and visiting Web sites, to sharing pictures and using certain kinds of software -- is being watched.

Historically, computer network administrators have monitored student activity online for purely legitimate, technical reasons. Increasingly, however, pressure from government and industry is forcing university administrators to become digital spies. Fears of terrorism, combined with concerns about copyright violations, are creating a climate of campus surveillance.

At the University of California at Berkeley, the everyday Web-surfing habits of students are regularly watched and recorded. Berkeley's Systems and Network Security group uses a program called BRO -- named after the infamous fascist icon from George Orwell's "1984" -- that keeps logs of every IP address students visit on the Internet from the campus network.

Cliff Frost, UC-Berkeley's director of communication and network services, says that "this practice is under review right now," because the campus community feels it interferes with academic freedom. He expects that the university will continue to keep logs but will discard them after a month or two. "I'd love to keep that data forever," he adds, "if there weren't the threats of subpoenas for vile purposes."

He is referring partly to recent actions by the Recording Industry Association of America, which has subpoenaed universities for the names of students allegedly engaging in music piracy. Techs must comb through saved logs for personal information to fulfill the subpoenas' demands. Some schools, including MIT, have refused to hand over the information by arguing that it is protected under the Family Educational Rights and Privacy Act. FERPA is designed to stop students' personal data from being handed over to third parties, and no one has yet challenged the use of FERPA in these copyright cases.

But there is a little-discussed section of the USA-PATRIOT Act that renders FERPA completely useless when federal officials subpoena personal student information for terrorism-related investigations. Not only do these federal subpoenas bypass FERPA, but the people served are not permitted to discuss them with anybody.

"You can't challenge [these subpoenas] because you can't tell anyone you've received them," says Lauren Gelman, an attorney with the Center for Internet and Society at Stanford. "At a university, one administrator can't even tell another administrator about these subpoenas, so there is no way to know how many have gone out." While university administrators want to comply with federal laws, many are wary of handing over private data in such a secretive manner.

And if the experiences of MIT computer network director Jeff Schiller are any indication, USA-PATRIOT Act subpoenas are being used on a regular basis to gather information about student online activity. "Things have definitely changed around here since 9/11," Schiller says. "Nobody has come around with a blanket subpoena looking for e-mails sent by Muslims [on campus]. But we'd never seen subpoenas for information related to national security before, and now we do." He couldn't reveal how many of these subpoenas he's received, but he did confirm that there has been a marked escalation in the electronic investigation of people at MIT "on terrorist grounds."

The only way to defend student privacy against USA-PATRIOT subpoenas, says University of Michigan public policy professor Virginia Rezmierski, is for university IT departments to stop saving their logs. You can't subpoena information that doesn't exist. Rezmierski is the lead author of a 2001 National Science Foundation study of network monitoring and logging practices on college campuses.

"I don't think this study made people very happy when it came out," she says. "A lot of our findings were very disturbing." She describes interviewing a college systems administrator for the study who told her that he had singled out one student and periodically logged everything he did on his computer "because [the student] was really competent with network operations and he seemed a suspicious type."

She and her co-researchers also discovered that many schools routinely kept records of everything people did on campus networks. Worse, they saved this information without stripping personal identifiers out of it. "People don't realize there are different levels of monitoring and logging," Rezmierski says. "You can save logs in order to analyze them for technical and security purposes without saving personal information." When schools must save logs, she emphasizes, it's crucial that they remove any markers that connect their data to particular individuals.

She adds that if colleges don't have policies regulating who has access to such logs, students are left vulnerable to censure by politically motivated administrators who deem certain students or student groups "suspicious" enough to monitor.

Perhaps most disturbing to critics and privacy advocates is the fact that schools are responding to subpoenas from the music recording industry with as much alacrity -- and as many privacy-invading techniques -- as they are to subpoenas related to national security. In their efforts to ferret out pirates, administrators are violating their own campus privacy policies, treating students who use P2P software the same way they would treat potential terrorists.

Earlier this year, administrators at Penn State decided to hunt down and punish students on the campus network who were using Direct Connect, a program that can be used to trade music files. Although Penn State promises students that their computer use won't be monitored, administrators tracked down over 200 students using Direct Connect in April and shut down their campus network accounts. Contrary to its expressed policy, the school was retaining logs of network activity that could be traced to individual students.

Penn State's vice provost of information technology, Russell Vaught, refused to say how the students had been identified, explaining only that his office had "acted within the law." But undergraduate Mike O'Connor, director of technology affairs for Penn State's undergraduate student government, showed me an e-mail he'd received from Vaught that acknowledged university techs had watched the online activities of students to find out which ones were using Direct Connect. Vaught's office may not have broken the law, but O'Connor says that he and other students believe that "Penn State violated its own policy in using these methods."

For a few months last year, the University of Wyoming used a program called AudibleMagic to look at the content of every piece of data traveling over the campus network suspected of containing copyrighted material. Administrators could gain access to any student's private data if they suspected he or she might be pirating music. Lambasted in the press, administrators stopped using the program in May. Robert Aylward, the vice president of information technology at the university, says that it no longer uses AudibleMagic and has switched to a program called Packeteer, which tracks data flow on the network but doesn't look at the content of that data.

However, an AudibleMagic rep says that other universities are adopting its technology.

There are countless products and services like AudibleMagic on the market, all enabling network administrators to place students under surveillance in the name of copyright protection, network monitoring and national security. On college campuses today, the question isn't whether your computer activity is being watched; it's who might use your private information against you.

By Annalee Newitz

Annalee Newitz is a writer. Get the gory details at Techsploitation.

MORE FROM Annalee Newitz

Related Topics ------------------------------------------

Privacy Terrorism