Sometimes the Man can really get you down, especially here at Columbia, but not always for the wrong reasons. In light of today’s town hall on protest rules, we bring you an article from the Blue and White’s December issue on security at Columbia. This is the second half of the investigation written by Naomi Cohen. You can read the first half here.
Last year, when the Associated Press reported that the NYPD spied on Columbia Muslim students, University President Lee Bollinger denied that the school knew or participated in the NYPD operations.
“We weren’t explicitly aware of it [the surveillance],” said then-Muslim Students Association president Abdul Hanif, “but we were not surprised at the same time.” After meeting with McShane and other top administrators to demand an explanation from administrators, Hanif said that the neutral response from McShane and superficial treatment of the issue led him to suspect that Public Safety was involved and may still be involved in surveillance.
According to McShane, the department is in contact with the 26th precinct—and Student Affairs—every day, conducts joint investigations, and holds “a very positive collaboration.” Almost all of the senior management investigators in Public Safety are former NYPD investigators. Both McShane and Held declined to comment on what situations merit Public Safety investigation or compliance.
As a high-profile, globally-focused, elite university, Columbia attracts non-OGC intelligence gatherers that hold enough authority to demand the information directly.
After September 11, the Department of Homeland Security became a significant sponsor of Public Safety projects, such as the outpost on 119th and Amsterdam that guards traffic on Columbia’s street level, according to one of the anonymous officers. Held, the Public Safety spokesperson, denied that it had received funds from Homeland Security. Under federal policy, Immigration and Customs Enforcement monitors Columbia international students through the Student and Exchange Visitor Program (SEVIS) as a condition for the university hosting students from abroad. Columbia, as a certified school, is obligated to report changes in student information and events that could jeopardize students’ visa status.
Another stipulation of the Patriot Act, the now-defunct National Security Entry-Exit Registration System (NSEERS), required Muslim nonimmigrants to register with immigration authorities and supply anything from debit card numbers to class schedules to contact information for someone at Columbia. Responding to student concerns in 2003 about external requests for data, then-Provost Jonathan Cole confirmed that the University would comply with conventional privacy legislation, including capitulation to judicial orders and subpoenas. NSEERS was replaced in 2011 by US-VISIT, which collects fingerprints and photos of all non-US citizens who apply for visas or arrive at major ports of entry.
CUIT’s occasional use of cloud services raise additional privacy concerns. At the end of 2012, Lionmail moved onto Google’s GMail infrastructure, which means that disclosure of information to US courts or other forms of government requests and surveillance depends on the discretion and security of Google, as well as Columbia.
If the Federal Bureau of Investigation wants information, it has three options: it can file for a search warrant, which requires more specifics; it can request metadata, which is tougher to decline legally; or it can petition the Foreign Intelligence Surveillance Court to use CIPAV, its own spyware tool. The OGC can only decline requests for data along legal terms.
While politically-oriented groups may be suspicious of the attentive eyes, Public Safety views itself as a watchful parent. Bigger and more controversial events attract more officers to keep all parties safe. Requests for student privacy in spaces like dorms and libraries tend to be respected: video cameras are only installed at the entrances, though Resident Advisors and security guards are expected to report certain sightings and activities.
CUIT is much the same. “They don’t re-garnish their mission to protect individual students’ privacy on their own computers,” said Internet security specialist and computer science professor Steven Bellovin. CUIT’s job is to make the the university’s computers and networks secure.
Despite adaptive policies and routine monitoring for compromised data and unauthorized access, the Information Security Office will never be able to secure the system entirely. “Everything is broken and old and crusty,” said a Columbia alumnus and security researcher who asked to remain anonymous for job security reasons. As in any large IT infrastructure—especially one with such diverse needs as Columbia—bugs are inevitable.
Leakage happens. In both 2007 and 2010, thousands of Columbia-affiliated Social Security Numbers were accidentally leaked by CUIT. At the Chaos Communication Conference in 2010, German hackers demonstrated how to extract data from and reprogram the same type of smart cards used for the CUID.
The CNet Linux terminals computers installed around campus are also only infrequently updated with security patches, which means any bugs CUIT doesn’t recognize could give hackers administrative access. The kiosks use sizeable pieces of software like LibreOffice, Firefox, and XFCE which provide a large vulnerable target that security specialists and hackers can potentially exploit.
Bellovin said that, while CUIT works to stay ahead of hackers with amateur-to-moderate skill level—he listed teens, virus writers, and disgruntled employees—they likely do not have the capability to catch “advanced persistent threats” (APTs). The term commonly refers to government espionage agencies that employ skilled hackers who can avoid almost all detection.
“It is certainly possible that foreign governments are trying to hack into Columbia University, either because they want […] some technical information, or because they want to keep tab on their nationals,” said Bellovin. “I haven’t heard of such things, but the repeated suggestion is that certain governments are doing this thing for economic espionage.”
In October and November, amid growing concerns about data security, CUIT updated its entire policy library, which now “formalizes the risk management program which we have launched, and defines the controls required to mitigate [data insecurity],” said Chief Information Security Officer Medha Bhalodkar in a phone interview.
The new policies clarify terms, consolidate guidelines from previous policies and from the medical campus, and, based off of research and discussions last year, establish rules that facilitate even more consistent and effective monitoring. All policy changes must be approved by the Administrative Policy Advisory Council, which consists of representatives from all departments and schools, including Bhalodkar, and are soon after published online. CUIT is not obligated to notify the school of any changes.
No University policy represents a contract, according to the Essential Policies website. “What the University is saying is, ‘Trust us,’ and the reader gets to pick,” said Columbia law professor Eben Moglen, known for his lecture series entitled Snowden and the Future. Because Columbia is a non-profit, it “basically sustains no regulation of any kind” except for peremptory control in the New York State courts, which is rare. CUIT follows the OGC’s command, which largely responds to the university president and the Trustees, whose “opinion is, for most purposes, final.”
The only legally mandated check on security policy at Columbia is the Security Advisory Committee (SAC), which is required by New York state education law. Sparse records show that the last meeting of the committee was in 2003. Last year, University Senator Jared Odessky, CC‘15, pushed to reactivate the committee and participated in its first meeting, in August. It has the minimum number of members (six), the minimum number of students (two), and will meet the minimum number of times a year (once a semester). In its first and only meeting so far, the committee gave an overview of Public Safety and sexual assault policy over the phone. The SAC can only request information from Public Safety, which is not obligated to share, and report on the status of security to Bollinger, who is not obligated to make changes.
Students have so many points of contact with the University, be they on or off Columbia property, that they cannot avoid all video surveillance or potential interception of data. Even if student groups avoid Lionmail, Public Safety is likely to show up, either planned or unplanned, uniformed or plainclothes.
CUIT does offer a few services that can be used “not as sore point, but as a shield,” according to Moglen. An easy tool: kiosk computers, which are used by multiple people without requiring log-ins, make it difficult for CUIT to locate individual student activity. To remain incognito, the kiosk user must not log into any university accounts and should choose a kiosk out of sight of cameras and with physical access not impaired by an ID card swipe.
For more advanced users: CUIT supplies “shell access” to a Unix system it operates called CUNIX via the heavily encrypted SSH protocol. Such access allows users to securely tunnel Internet traffic through Columbia’s network. For example, a student studying abroad in a country with Internet censorship could connect to the Internet securely through CUNIX. A student at a McDonald’s can mask traffic from advertisers.
To anonymize all Internet traffic, students may use Tor, an open-source system originally developed by the US Naval Research Laboratory that hides users’ IP addresses. To encrypt emails and attachments, students can use Pretty Good Privacy (PGP) via the free open source GNU Privacy Guard (GPG). Encryption services tend to demand a certain level of proficiency, but they currently offer the best way to keep personal information private.
Students who skip these measures can still rely on certain legal barriers that require the University to notify students when accessing sensitive information. The Family Educational Rights and Privacy Act (FERPA) protects educational, personally identifiable, and directory information and the Health Insurance Portability and Accountability Act (HIPAA) protects medical information. FERPA also offers an opt-out option, available through the University Registrar, that requires the University to seek student approval when sharing directory information. Still, both acts include a clause that overrules this protection in the case of a subpoena or judicial order.
When presented with the choice between security and privacy, CUIT listens to the lawyers of the OGC; Public Safety follows the command of NYPD veterans. Neither is infallible: CUIT is constantly catching up with its own system, and Public Safety is constantly testing and purging its own staff. Both also rely on trust with the student body.
The more places these departments can access, the greater their monopoly on student data, and the more effectively they can do their jobs—and the jobs of others. Unless students learn encryption and dodge university services whenever they can, all they can do is evaluate the judgment of others.
“One of the things that is true in living in a surveillance society is there is no department of surveillance,” Moglen said. “Surveillance becomes a way that everything works, and because everything works a little differently, it works differently everywhere those things are.”