Apple’s refusal to unlock an iPhone for the FBI has sparked a legal war, and a nationwide debate over law enforcement’s access to private consumer data. But unknown to most people, versions of this battle play out all the time on university campuses, with little to no transparency.
Following damaging leaks by NSA contractor Edward Snowden in 2013 – which indicated major tech companies allowed the government to access customer data – it became an industry norm to issue annual transparency reports. These reports detail law enforcement requests for private data and network access, and how those requests are handled.
No such transparency exists for public universities, though they are often de facto Internet service providers, and regularly receive requests from law enforcement for student, faculty, and staff data. The University of California at Berkeley moved to change this late last year, issuing the first transparency report for a university. Officials at University of Washington and Washington State University say they’re open to copying the idea.
“Transparency is often talked about as a benchmark of privacy, and with a new president (at UW), we wouldn’t be surprised if they thought there was value in something like this,” says University of Washington Chief Information Security Officer Kirk Bailey. “We could get a report together in a week, if they asked. But that’s not a question for us (in the school’s IT department). We support this. I think it’d be interesting to the higher-ups.”
According to Bailey, there are 250,000 active users of UW accounts, and over 50,000 devices connected to university networks at any given time. This includes the school’s main campus, satellite campuses, and properties like Harborview Medical Center. At Washington State University, Chief Information Security Officer Thomas Ambrossi says there are about 150,000 active accounts and an average of 45,000 devices connected to the network at any given time.
Both Bailey and Ambrossi say it’s common to receive requests from government agencies for network access or data. These requests are treated with all due scrutiny and calls for the proper warrants, they say, unless there is a demonstrable threat to the university or the health of individuals.
But without a transparency report, it’s impossible to know how these requests are actually handled or how many there are, beyond anecdotal accounts. UC Berkeley’s report has already revealed the school fulfills requests more frequently than Apple, adjusted for the number of users.
“If you asked a random student on street, or faculty, they’d have no idea these requests are happening,” says William Allison, UC Berkeley’s Chief Technology Officer. “Given the overall surveillance climate in the country, we can see why Silicon Valley companies would see these (transparency) reports as being in their business interests. But this transparency is actually core to the higher education mission of creating a climate of freedom of speech, and rigorous debate.”
Jason Schultz, director of the Technology Law and Policy Clinic at New York University, has said that “by committing to transparency”, UC Berkeley has started an important new conversation on privacy. If other universities follow suit, benchmarks could emerge regarding student and faculty privacy, “especially in terms of asking that law enforcement officials go through the proper oversight channels, such as getting a warrant from a neutral judge” before being allowed access to data.
Reports can also reveal whether “there are any spikes around important political events, such as protests or rallies” and may serve as a tool for student and faculty activists in advocating for privacy issues.
Transparency reports would serve an additional purpose at UW and WSU. Both Bailey and Ambrossi say law enforcement can take their requests to individual departments at the university, instead of going through the school’s proper channels. This may mean the requests face less scrutiny.
“Our central IT staff is 500 to 600 people, but there are about 3,000 people in IT roles out in department land,” says Bailey. “A law enforcement agency could go to the Poetry Department with a request and bypass the central system.”
Were the university to compile transparency reports, these off-the-beaten-path requests by law enforcement would be brought into the light, because central IT would be empowered to collect university-wide data regarding them. Departments might learn to redirect requests to proper channels, where they can be vetted more fully.
Technology officers from UW, WSU, and UC Berkeley all say transparency reports do not represent a heavy commitment of time or resources, and are mainly a matter of logistics. However, given the reports require cooperation from other university departments, they’ll only be created if school leadership gives the go-ahead, they say.
Bailey and Ambrossi both say they have a “good relationship” with local police and FBI field offices, and only provide them access to student, staff, and faculty data when appropriate. UW spokesman Norman Arkans says the school places “a very high value on protecting individuals’ privacy, and we believe we have good policies, well-established for doing so.”
However, knowing these requests are being made with some regularity, but not knowing how they’re handled, has a “chilling effect on your ability to be autonomous and creative and all the things we try to create in a university,” says Lisa Ho, Campus Privacy Officer at UC Berkeley.
Ho believes UC Berkeley’s transparency report will be most useful if schools like UW and WSU create them as well, following the lead of the tech industry in making this an issue. That means going beyond expressing a commitment to student and faculty privacy, she says, and starting to show it.