Napolitano Says She's Always Wanted To Talk About The Secret Surveillance She Hasn't Talked About Since Last August

from the it's-all-just-a-big,-opaque,-pitch-black,-secretive-misunderstanding! dept

A Techdirt reader has sent us a copy of former DHS head/current University of California President Janet Napolitano’s official response to the outcry over the secret surveillance of UC staffers — surveillance she personally approved.

Napolitiano’s letter to UC-Berkeley employees immediately ties the secretive surveillance implementation to the UCLA Medical Center cyberattack, just in case anyone (and it’s a lot of anyones) feels the effort was unwarranted.

A group of faculty members at the Berkeley campus has articulated concerns regarding some of the security measures we adopted in the wake of the UCLA cyberattack last year. The concerns focus on two primary issues: whether systemwide cyber threat detection is necessary and whether it complies with the University’s Electronic Communications Policy (ECP); and why University administrators failed to publicly share information about our response to the cyberattack.

If your privacy is being compromised, the real villains here are the people behind the cyberattack. As for the secrecy surrounding it, Napolitano seems to indicate she’d like to discuss it, but immediately abandons that line of inquiry to blame disgruntled staffers and the media for misrepresenting her snooping initiative.

The Berkeley faculty members have shared their concerns with colleagues at other campuses and with various media outlets. Unfortunately, many have been left with the impression that a secret initiative to snoop on faculty activities is underway. Nothing could be further from the truth.

Please explain.

I attach a letter from Executive Vice President and Chief Operating Officer Nava explaining the rationale for these security measures.

Great, except that Nava’s letter arrived five months after the program was implemented and two months after a university official said the program would be shut down — a statement which itself preceded (by a month) the news that the program has actually been allowed to continue uninterrupted.

Napolitano claims there was no secrecy.

As you know, leadership at all levels, including The Regents, Academic Senate leadership, and campus leadership, has been kept apprised of these matters, including through the establishment and convening of the Cyber Risk Governance Committee (CRGC). The CRGC, comprises each campus’s Cyber Risk Responsible Executive (CRE), as well as a representative of the University’s faculty Senate, the General Counsel, and other individuals from this office with responsibility for systemwide cybersecurity initiatives.

Yes, look at all the people who were informed! And were apparently informed they could not pass this information on to anyone else!

From our earlier post on the subject — directly from some of those on Napolitano’s “approved” list.

UCOP would like these facts to remain secret. However, the tenured faculty on the JCCIT are in agreement that continued silence on our part would make us complicit in what we view as a serious violation of shared governance and a serious threat to the academic freedoms that the Berkeley campus has long cherished.

[…]

For many months UCOP required that our IT staff keep these facts secret from faculty and others on the Berkeley campus.

This assertion directly contradicts Napolitano’s depiction of the events.

I have from the beginning directed my staff to make every effort to actively engage with all stakeholders and to minimize to the extent possible the amount of information that is not shared widely.

This seems highly unlikely, considering no one began publicly talking about this secret surveillance until just recently. If the information had been widely disseminated (as Napolitano’s claims she directed), the backlash would have begun months ago.

And, of course, Napolitano is all about that privacy.

Personal privacy and academic freedom are paramount in everything we do. But we cannot make good on our commitment to protect individual privacy without ensuring a sound cybersecurity infrastructure. While we have absolutely no interest in the content of any individual’s emails or browsing history, we must accept that active network monitoring is a critical element of a sound cybersecurity infrastructure and the interconnectedness of the University and all of its locations requires that such monitoring be coordinated centrally.

School officials — at least those allowed to see email content/web browsing history — may claim they have “no interest” in seeing it, but that doesn’t change the fact that any of them can access it without fear of repercussion. Not only that, but a third party has access to this same data — a third party Napolitano won’t identify.

She closes her official “this is all fully justified because cyber” letter with the same assertion so many officials make when secret goings-on are dragged out into the sunlight: “I’ve always wanted to have this discussion I’m now being forced to have!”

I invite further robust discussion and debate on this topic at upcoming meetings of the CRGC and COC.

That’s just disingenuous. Don’t extend an invitation to a conversation you can no longer avoid.

As the TD reader who sent this over explains, they’re not exactly thrilled the former DHS head is using a privacy breach to further undermine UC staffers’ privacy.

This sort of thing, by the way, is exactly the reason that everyone had the “say what?” reaction when Napolitano was appointed. This is why people were concerned.

P.S. I’m one of the people whose information was compromised in the UCLA Med Center hack, and don’t appreciate their screw-up then being used as an excuse to screw us over now.

Filed Under: , , , , ,
Companies: university of california

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Napolitano Says She's Always Wanted To Talk About The Secret Surveillance She Hasn't Talked About Since Last August”

Subscribe: RSS Leave a comment
26 Comments
That One Guysays:

'To better protect your privacy, we will be violating it as much as we can.'

Personal privacy and academic freedom are paramount in everything we do. But we cannot make good on our commitment to protect individual privacy without ensuring a sound cybersecurity infrastructure.

In other news an unnamed university official was heard saying that to better protect the dignity of those on campus, mandatory strip-searches will be implemented, and to better protect the diversity and ecology of the flora and fauna of the surrounding area, all plants and animals would be lit on fire and killed respectively.

Anonymous Anonymous Cowardsays:

Distance Learning

Has anyone else noticed that UCLA and UC-Berkeley are like some 500 miles apart? If there is a potential breech of UCLA’s network, wouldn’t it be better to address it in say…LA rather than Berkeley, just north of Oakland, across from San Francisco? While they are part of the same state university system they are NOT the same campus.

Could it be that Berkeley has a reputation of being a bit more radical (at least in some peoples point of view) and got included because of that? What about the rest of the UC system. Were they included or excluded? Should they be upset because they were included or because they were excluded? Or, should their ire be because of the enormous entitlement of any administrator who had the hutzpa to implement such a shameful act of intrusion?

Anonymous Anonymous Cowardsays:

Re: Re: Re: Re: Distance Learning

Neither UCLA or UC-Berkeley are small entities. I bet they have dedicated IT departments in each location.

Do you think the firewalls for the UCLA medical clinic are in Berkeley, or in LA? Which would be a cheaper implementation, a firewall in Berkeley and an uninterrupted fiber line to LA or Internet in-between with firewalls in both locations using VPN’s for interconnection? Even the UC system has monetary restraints. The cost of dedicated lines over that kind of distance is significant.

I once had the chief architect for a large bank explain how they put together their fail-over system between data centers in Minnesota, Arizona, and California and how it worked. Two dedicated fiber lines on each leg of the triangle with two ISP’s at each location. Not cheap, it took a long time to complete, and a bank is not a university.

Think also about HIPPA compliance issues.

sorrykbsays:

Re: Re: Distance Learning

It’s my understanding that has been (or will be) rolled out across all 10 University of California campuses.

So it could affect (using 2013 stats, rounded):
240,000 students
195,000 faculty and staff (inc. medical centers)
+ Unknown # of external researchers, general public, and med ctr patients

aerilussays:

Re: Re: Distance Learning

i know in nc there is a centralized fiber network called ncren that all universities and hospitals connect to then all traffic flows out of it to the internet. if things are similar in california this should be viewed as a bigger deal. using layer 4 stuff to analyze packet content has nothing to do with good security and it just a bunch of crap imo.

That Anonymous Cowardsays:

“engage with all stakeholders”

Also read as, I told the people in power because the rest of you don’t matter. I told them all of the wondrous things it would do for us and never mentioned an downsides. Total surveillance on our serfs is the proper response, so that we can make sure they don’t do anything wrong as defined by our whims.

You’re doing a heck of a job Big Sis…

Anonymoussays:

When that lack of discussion with the main interests of the common students and professors is the main problem, you are merely fueling the conspiracies by not calming the discussion with facts or at least something resembling it so people defending her has at least a party-line to grab!

With this she comes off looking like a lobbyist trying to force her secret companys snakeoil on a university!

Rich Kulawiecsays:

Ahem...

While we have absolutely no interest in the content of any individual?s emails or browsing history, we must accept that active network monitoring is a critical element of a sound cybersecurity infrastructure and the interconnectedness of the University and all of its locations requires that such monitoring be coordinated centrally.

Bullshit. All of it: bullshit.

Cpt Featherswordsays:

Don't worry, we disclosed it to our secret Committee

“Leadership at all levels… has been kept apprised” by convening a “Cyber Risk Governance Committee (CRGC)” which comprises one nameless administrator from each campus (“each campus?s Cyber Risk Responsible Executive”), one “representative of the University?s faculty Senate,” and unspecified minions from Napolitano’s office.

A single, unnamed faculty member from one of the ten campuses was let in on the secret. That is how Napolitano keeps the faculty “apprised.”

She appoints her pet committee to be the venue within which she invites “robust discussion and debate”. Of course everyone on the committee works for her, except the lone faculty representative.

I suppose the Med Center incident simply gave the Napolitano administration a plausible excuse to cover something they were preparing to do anyway.

tqksays:

Who hired her?

Perhaps we should start with firing the entire board of regents who hired this nincompoop who dragged the name of a distinguished institution of learning into the mud and sold all of its employees and customers’ PII to a commercial third party in an insane and imbecilic abuse of “security” in order to protect the institution itself. I’d love to learn the name of the person who first nominated her for the job. Off with their head!

What a mess.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Report this ad??|??Hide Techdirt ads
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...
Older Stuff
12:25 Australian Privacy Commissioner Says 7-Eleven Broke Privacy Laws By Scanning Customers' Faces At Survey Kiosks (6)
10:50 Missouri Governor Doubles Down On 'View Source' Hacking Claim; PAC Now Fundraising Over This Bizarrely Stupid Claim (45)
10:45 Daily Deal: The All-in-One Microsoft, Cybersecurity, And Python Exam Prep Training Bundle (0)
09:43 Want To Understand Why U.S. Broadband Sucks? Look At Frontier Communications In Wisconsin, West Virginia (8)
05:36 Massachusetts College Decides Criticizing The Chinese Government Is Hate Speech, Suspends Conservative Student Group (71)
19:57 Le Tigre Sues Barry Mann To Stop Copyright Threats Over Song, Lights Barry Mann On Fire As Well (21)
16:07 Court Says City Of Baltimore's 'Heckler's Veto' Of An Anti-Catholic Rally Violates The First Amendment (15)
13:37 Two Years Later, Judge Finally Realizes That A CDN Provider Is Not Liable For Copyright Infringement On Websites (21)
12:19 Chicago Court Gets Its Prior Restraint On, Tells Police Union Head To STFU About City's Vaccine Mandate (158)
10:55 Verizon 'Visible' Wireless Accounts Hacked, Exploited To Buy New iPhones (8)
10:50 Daily Deal: The MacOS 11 Course (0)
07:55 Suing Social Media Sites Over Acts Of Terrorism Continues To Be A Losing Bet, As 11th Circuit Dumps Another Flawed Lawsuit (11)
02:51 Trump Announces His Own Social Network, 'Truth Social,' Which Says It Can Kick Off Users For Any Reason (And Already Is) (100)
19:51 Facebook AI Moderation Continues To Suck Because Moderation At Scale Is Impossible (26)
16:12 Content Moderation Case Studies: Snapchat Disables GIPHY Integration After Racist 'Sticker' Is Discovered (2018) (11)
13:54 Arlo Makes Live Customer Service A Luxury Option (8)
12:05 Delta Proudly Announces Its Participation In The DHS's Expanded Biometric Collection Program (5)
11:03 LinkedIn (Mostly) Exits China, Citing Escalating Demands For Censorship (14)
10:57 Daily Deal: The Python, Git, And YAML Bundle (0)
09:37 British Telecom Wants Netflix To Pay A Tax Simply Because Squid Game Is Popular (32)
06:41 Report: Client-Side Scanning Is An Insecure Nightmare Just Waiting To Be Exploited By Governments (35)
20:38 MLB In Talks To Offer Streaming For All Teams' Home Games In-Market Even Without A Cable Subscription (10)
15:55 Appeals Court Says Couple's Lawsuit Over Bogus Vehicle Forfeiture Can Continue (15)
13:30 Techdirt Podcast Episode 301: Scarcity, Abundance & NFTs (0)
12:03 Hollywood Is Betting On Filtering Mandates, But Working Copyright Algorithms Simply Don't Exist (66)
10:45 Introducing The Techdirt Insider Discord (4)
10:40 Daily Deal: The Dynamic 2021 DevOps Training Bundle (0)
09:29 Criminalizing Teens' Google Searches Is Just How The UK's Anti-Cybercrime Programs Roll (19)
06:29 Canon Sued For Disabling Printer Scanners When Devices Run Out Of Ink (41)
20:51 Copyright Law Discriminating Against The Blind Finally Struck Down By Court In South Africa (7)
More arrow