BRO: Software for Watching Your Surfing and eMailing Habits
Annalee Newitz/Salon says Don't look now, but the dean is watching about campus surveillance of internet activities.
At the University of California at Berkeley, the everyday Web-surfing habits of students are regularly watched and recorded. Berkeley's Systems and Network Security group uses a program called BRO -- named after the infamous fascist icon from George Orwell's "1984" -- that keeps logs of every IP address students visit on the Internet from the campus network.
Cliff Frost, UC-Berkeley's director of communication and network services, says that "this practice is under review right now," because the campus community feels it interferes with academic freedom. He expects that the university will continue to keep logs but will discard them after a month or two. "I'd love to keep that data forever," he adds, "if there weren't the threats of subpoenas for vile purposes."
He is referring partly to recent actions by the Recording Industry Association of America, which has subpoenaed universities for the names of students allegedly engaging in music piracy. Techs must comb through saved logs for personal information to fulfill the subpoenas' demands. Some schools, including MIT, have refused to hand over the information by arguing that it is protected under the Family Educational Rights and Privacy Act. FERPA is designed to stop students' personal data from being handed over to third parties, and no one has yet challenged the use of FERPA in these copyright cases.
But there is a little-discussed section of the USA-PATRIOT Act that renders FERPA completely useless when federal officials subpoena personal student information for terrorism-related investigations. Not only do these federal subpoenas bypass FERPA, but the people served are not permitted to discuss them with anybody.
The article starts with an example at Raytheon at the University of New Hampshire where students were planning a protest, and the entity they were protesting pulled out of a presentation at the last minute, after the VP of student affairs got wind of the student plans. Apparently, this VP is not on the email list, but the list was being covertly monitored. Accessing the Internet on campus means that everything done is watched. This is not just for security (Patriot Act) purposes, but also to monitor illicit file sharing and other copyright violating activities. However, the privacy implications are huge, and because privacy protections are spotty or non-existent, this kind of surveillance is possible without notification, other than that buried in the various lengthy policies one clicks through upon setting up an account, or by going back later to view the information. But there is nothing explicit about the surveillance and therefore, users are surprised when action based on the surveillance is taken by schools.
Also, here is some information on BRO:
One of the greatest concerns about systems like this is the fact that potentially confidential data may be collected and examined by the system. As mentioned above, Bro is an automated system. So when we say Bro examines data, that data is not selected or seen by people. However, in order to be able to investigate suspicious activity, some data is logged and security personnel may examine that data. The data may include complete transcripts of login sessions, any files transferred over the network, email messages, etc.
Obviously, this data is very sensitive and requires the highest level of protection. Access is restricted by the "Privacy and Confidentiality" sections of the University of California Electronic Communications Policy. This policy requires that the campus annually report on data that is accessed without users' consent. For the most part, this data is never seen by anyone other than security personnel if it's seen at all. Typically this data never leaves the systems where it's collected, which are physically and electronically secured. However, if an attack is confirmed, relevant data may be turned over to the managers of the affected systems as well as outside authorities and possibly law enforcement officials. Occasionally, aggregate data may be given to nonsecurity personnel for network and infrastructure planning. Of course, such aggregate data would be stripped of any personally identifiable content.
This document, in the naming, says it is from Winter 2001, but there isn't anything in the html code confirming this. Also, the description of the system emphasizes that BRO is meant to detect outside intrusions to the network, not internal activities of users. However, the Wired article indicates otherwise, as those in the Network department confirm in the quotes above, but they say the retention policy for logs is under review right now and may be changed so that logs over a month old are discarded in order to protect privacy.
UPDATE: Tracy Mitrano/EDUCAUSE have Civil Privacy and National Security Legislation: A Three-Dimensional View (pdf) (or htm)
Posted by Mary Hodder at November 12, 2003 01:40 PM
