In an effort to deal with the rise in widespread security vulnerabilities and exploits over the past few years, Stanford has decided to use BigFix Enterprise Suite for patch management. Of course, patch management is certainly not the only thing this software can do (and will be used for) and as we at ResComp began to learn what BigFix is usually really used for and could really do, privacy alarm bells went off in our heads and for the past year, we’ve been fighting a battle to strike a balance between keeping student computers and the Stanford network secure and protecting student privacy rights. And despite how much time and effort has gone into this fight, I haven’t really written about this here because we were still in the middle of negotations. But the lid, at least for now, has been closed and I can sound off on some key privacy and security issues.
The deal is this: the decision to use BigFix was first made by the folks at ITSS (and given the go ahead, of course, by higher ups). At Stanford, the IT structure is a little strange. It’s divided into two main groups: ITSS, who focuses on administrative systems, infrastructure, etc., and the Libraries, who focus on academic computing needs (including residential needs since Stanford has a strong committment to residential education and most students live on-campus). But of course, real management of computing resources and services is even more decentralized than this strange arrangement, so as one can guess, managing the network and deploying technology throughout campus usually involves getting a lot of people from different groups to work together. You can imagine how folks in charge of administrative systems and infrastructure can often disagree with folks in charge of promoting the academic mission and student life. On one hand, allowing students to connect whatever computer they want to the network and experiment with their computers is, I believe, a key part of educational freedom and promotes self-learning. On the other hand, it’s a nightmare for network security and management, not to mention desktop support. Another part of this balancing act is the fact that a university computing environment isn’t necessarily a corporate computing environment and in addition to regular university employees , you have faculty who often have experimentation with computing technology at the heart of their research and you have students who live on-campus and make it their home, their community. Certainly, there are significant differences between what kind of programs a faculty member can run on computers paid for with research funds and what a residential student can do with his personally-owned computer and what a university employee can do with his university-owned computer.
In the end, the compromise was to provide supplementary documentation for residential students, hoping to educate students about the privacy concerns and let them make the right choice for their own computing needs. Our main goal was to make sure that students were educated (what a novel idea at a university) and had all the information necessary to make the right decision for themselves. The one thing we wanted to avoid was to have the University hand down BigFix as a requirement for getting onto the network. While I certainly agree that the University should be able to require students to patch and secure their machines, I do not believe they should be asked to install a potentially invasive piece of software on their computer and in the name of security, give up their privacy rights. Some may say that the list of retrieved properties is nothing to get so worked up over, that collecting this information automatically will help local network administrators and departments have better inventory information, and that most people won’t care if the University collects this information about their computers. Well, I hardly think that poor record keeping and inventory management on the part of local network administrators or the fact that most people just won’t mind are reasons to ask 10,000 students to install, in one sense, monitoring software on their personal computers.
Personally, BigFix for University-owned machines, especially those that store confidential information (including email), is a no-brainer– I believe that in those situations, computers should be imaged and employees should have locked-down configurations (no administrator access) anyway. And because we are talking about workplace resources, I understand that there is no reasonable expectation of privacy (although, I believe that a more relaxed approach fosters higher employee morale). But when it comes to my personal computer, I will not choose BigFix. In some ways, my situation is similar to those of the residential students my department supports– as part of my employment, Stanford provides me with “Stanford DSL,” paying for my service and giving me Stanford IP addresses for my home network. And realistically, when I come home from work, my employer can still monitor my network usage. In my home, my situation is very similar to students living on campus (although, unlike them, I have the option of a different broadband provider) and given that situation, I won’t be using BigFix at home. For me, I am more than capable of following good security practices to keep my computer, and in turn, my little part of the Stanford network secure. I don’t believe that there is an urgent and pressing need for the University to know how much total drive space I have or the serial number to my personal computer. Some of the retrieved properties might seem trivial– what my CPU speed is or what my computer name (something that’s already available via Windows networking)– but I should still be able to choose whether or not people know. It might seem trivial for people to know what color my couch is or what shape my dining table is, but it’s still my right to decide who knows these things. The most important thing, at least right now, is that we hold onto the right to choose because while it may seem trivial today, who knows what our “trivial” personal information could be used for tomorrow.
Which brings me to my final point: one of the big reasons why we must protect our personal privacy is that unfortunately, there are many out there who might use it against us. When we were in the thick of the privacy argument over BigFix, we realized there was a fundamental misunderstanding– some thought our reluctance to use and promote BigFix was because we feared that the information collected would not be secure, because we feared that the central databases would be broken into somehow or that console operators would abuse their access to this confidential information. These are concerns, of course, but our greater fear is that tomorrow, the next day, or sometime after that, suddenly the information would be used by the proper officials through the proper channels in a way that we do not agree with. Today, some collected information might be used only for inventory purposes, tomorrow, it could be used to unfairly profile network users. Today, total disk space might just be for statistical purposes, tomorrow, it might be used make unfair accusations about what that disk space might be used for. It’s a propos that I just finished reading Dan Brown’s “Digital Fortress.” A recurring theme is “Who will guard the guards?”
Last week, I finally got my console operator account access and logged in to take a look at the console software. I had sworn to myself, to my fellow console operator, and to the folks at ITSS that I would not be looking at the retrieved properties. We collect our own statistics during network registration and our yearly survey (with over 50% participation each year) and keep organized network node records– we don’t need to look at records for inventory purposes and we don’t want to look. And for us, we believe and have proven that spreading the word, using our RCCs and the dorm community network to educate and encourage students to follow good security practices, actively managing and policing our network, knowing our users, is the best way to maintain good security. We don’t necessarily need a 100% solution– we need one that keeps our networks manageable and usable. But when I pulled up the console software, I couldn’t help but look. Retrieved properties for hundreds of computers just come up automatically as soon as you login. Ah temptation, thy name is BigFix. I only looked around for a few minutes, but by the time I had logged off, I felt like I had violated so many with a few easy clicks. If I could do it so easily, believing so strongly against looking at the data, imagine how easy it would be for those who want to look, are dying to look and analyze and use this data for their own purposes. Who will guard the guards?
In the end, that question was never really answered– or rather, few believed somebody needed to guard the guards. But there was the final piece of our compromise: we asked that a notification list be created for all BigFix users, that the option to subscribe to the list was presented during installation, and that whenever the list of retrieved properties changed, everyone on the notification list would be notified. It’s not a perfect solution– we would have preferred mandatory and automatic subscription for all users who install the program and a heads up before the list was changed– but it’s something because it, once again, lets us hold onto choice. Today, I might be willing to give up this much privacy in the name of security and convenience; if you ask me tomorrow to give up a little more, I might decide that the price has become too high and I can exercise my choice to opt out. And isn’t that the basis for freedom, educational or otherwise– choice?