Credit Elizabeth D. Herman for The New York Times
After hackers breached the computer network of the U.C.L.A. medical center last summer, Janet Napolitano, president of the University of California, and her office moved to shore up security across the university systemâs 10 campuses.
Under a program initiated by Ms. Napolitano, the former secretary of Homeland Security in the Obama administration, the university system began installing hardware and software in its data centers that would monitor patterns of digital traffic, like what websites are being visited by faculty and students. The program, which was begun with little notice or consultation, soon rankled a group of professors at one campus, Berkeley, which has a deep-seated ethos of academic freedom as the cradle of the free speech movement in the 1960s.
New Technologies Give Government Ample Means to Track Suspects, Study FindsJAN. 31, 2016
White House Letter: For Gadget Geek in the Oval Office, High Tech Has Its LimitsJAN. 24, 2016
Tech Fix: Apps to Manage Passwords So They Are Harder to Crack Than âPasswordâJAN. 20, 2016
Entrepreneurship: No Business Too Small to Be HackedJAN. 13, 2016
In recent days, the professors have begun speaking out publicly about the issue. âMy primary concern is monitoring the private information of students and faculty in secret,â said Eric Brewer, a professor of computer science at U.C. Berkeley. âIâm sure thereâs good intent. But I canât see a good reason for doing it.â
Credit Elizabeth D. Herman for The New York Times
The resistance from Mr. Brewer and other professors at Berkeley, which is now becoming a public debate with the university systemâs administrators, raises the issue of how to define academic freedom in the age of online attacks. While some of the professors criticize the monitoring program as one that invades their privacy, the University of California has responded that âprivacy perishes in the absence of security.â
Itâs part of the larger challenge that fast-moving technology poses for social values. Every day, corporations, government agencies and universities must balance the need for computer security with the expected right to privacy of the people who use their networks. In different settings, there are different rules, expectations and levels of threat.
âWeâre really just starting to sort out the risks and rules for digital security and data collection and use,â said Elana Zeide, a privacy expert at New York Universityâs Information Law Institute.
The Berkeley dispute stands out because of the place and personalities involved. U.C. Berkeley is not only a leading producer of computer science talent, but also a champion of the free speech movement, so any surveillance is regarded as particularly jarring. For her part, Ms. Napolitano, who joined the California university system in 2013, is no stranger to computer security policy, having served four years as the nationâs Homeland Security chief.
The faculty group of 11 professors critical of the monitoring program said the university system enacted the program largely in private, with little transparency about what data is being collected. The monitoring could compromise and constrain academic freedom to research topics that some find objectionable, among other repercussions, they said. In a formal meeting with the University of Californiaâs chief information officer in December, the professors asked for the program to be halted.
On Jan. 19, Ms. Napolitanoâs staff responded in a five-page reply declining to do so; the letter was emailed last Friday to the entire Berkeley faculty and others. The University of California defended the security initiative as a measured step under the circumstances, and added that âfor cybersecurity purposes, a risk to what appears to be an isolated system at only one location may in some circumstances create risk across locations or units.â
The university said Ms. Napolitano was not available for an interview. Steve Montiel, press secretary for the presidentâs office, said he was not aware of any complaints from other campuses about the monitoring program.
The roots of the dispute stretch back to the attack disclosed last July at the UCLA Health System, which potentially put the private information of 4.5 million patients at risk. In an interview on Monday, Tom Andriola, chief information officer of the University of California system, said after the medical center attack the system administrators had to âmove swiftlyâ to insure against similar breaches.
Some faculty members, he acknowledged, may have understandably felt there was too little consultation. But Mr. Andriola said that âmoving forward the faculty will be deeply involved.â
Last Oct. 27, the presidentâs office issued a short statement describing the new data-tracking program, called the Coordinated Monitoring and Threat Response Initiative. The programâs hardware and software are being supplied and run by an outside contractor, Fidelis Cybersecurity. The presidentâs office has set up a Cyber-Risk Governance Committee to oversee programs like the data center monitoring, which includes a Berkeley representative, though not a tenured faculty member.
The faculty members learned about the monitoring program from people who knew it was being put in place, but who asked not to be identified because they were not authorized to disclose the information. Once alerted, the faculty group became concerned.
Credit Richard Hartog for The New York Times
Just what data is being collected and stored in the monitoring program is unclear. The presidentâs office has not explained the data collection and data use practices of the program, the Berkeley professors said.
âThe issue here is the lack of transparency and the lack of shared governance,â said Greg Niemeyer, director of the Berkeley Center for New Media.
Lawsuits stemming from the UCLA breach last summer prevent the presidentâs office from disclosing details of the monitoring program, according to Rachael Nava, chief operating officer of University of California system, who signed the Jan. 19 letter. In the letter, she said the legal constraint was âregrettableâ because she could not share additional information that âmight correct some of these misimpressions.â
Mr. Andriola emphasized that the program monitored network traffic rather than mining the contents of email messages, for example. âThis is not spyware,â he said.
The standard practice at Berkeley, the professors said, had been to immediately delete the so-called log files that show the websites a person had visited or the origin and destination of email traffic. The exception, they said, was if a pattern of network use signaled the suspicion of data theft or a hacker attack. So in the past, they said, the monitoring in Berkeley data centers was light-touch, and targeted.
The worry, Mr. Niemeyer said, is that if network traffic logs are stored, they could be subject to subpoena. An example, he said, might be if a foreign student from China or some other autocratic nation is visiting the websites of dissidents or emailing them.
âBefore, we could just say that we just donât have the records,â Mr. Niemeyer said. âNow, itâs not clear we wouldnât or the third-party company wouldnât. That is the kind of scenario that is not unlikely.â
Other examples, he said, might be constraints on academic freedom to research topics that some object to â say, pornography or Satan worship. Such inquiries, in theory, could become the target of congressional investigations into the use of taxpayersâ money that supports a major public university like Berkeley.
In December, the Berkeley faculty group met with Mr. Andriola to voice their concerns and call for a stop to the monitoring program. In the Jan. 19 letter from Ms. Nava, she stressed the âseriousness of the threat.â The digital attacks can sometimes jump from one network to another, she said.
The Berkeley professors remain unpersuaded. Corporations often monitor the online behavior of their employees, but American universities have a different tradition.
âItâs a pretty settled point that universities go out of their way not to monitor students, faculty and staff,â said Jeffrey MacKie-Mason, the university librarian at Berkeley. âYes, sometimes security concerns trump privacy. But itâs something we should have an informed discussion about.â
Mr. Andriola said he welcomed a dialogue with the university faculty as a whole. âThis is not a technology issue,â he said. âIt is about how to strike a balance between being a very open university while still protecting the assets of the university from nefarious actors.â