The basement of the Gates Computer Science building has terrible reception. A memorable part of CS107 labs was logging in to the Myth machines, which involved running upstairs to receive our two-step authentication texts. Each time, we cursed the new system’s inconvenience and and begrudgingly entered the SMS code.
Two-step authentication (TSA) was introduced along with a series of initiatives implemented throughout the 2013-14 school year. While TSA has been the target of many complaints, certain lesser-known mandates have been a source of far more serious concern.
On Jan. 14, 2014, Stanford announced additional security requirements applying to University employees’ devices. Shortly after, a coalition of faculty, graduate students, and the Electronic Frontier Foundation (EFF) voiced concerns about these mandates and their implication for personal privacy.
Several requirements outlined in the letter posed particular concern, including the installation of Big Fix, a program that “ensures applications are patched with the latest security updates”, and the installation of Identity Finder (IDF), which scans users’ computers for unencrypted confidential data and generates reports noting the location of those files.
Previously, each person in the Stanford community was individually responsible for installing updates on their devices, but according to Stanford Answers people frequently missed important patches. “That failure [to install updates] can place everyone on the shared network at risk,” explained the site. “Providing centralized management for certain aspects of computer security is vastly more efficient and reliable than the present very decentralized arrangement.”
However, a number of people were concerned by the capabilities of the BigFix software. “BigFix is basically a backdoor that gives [IBM] and Stanford control over your device,” said PhD candidate Tomer Altman in a message to the Liberationtech mailing list, a forum for discussing the development, improvement, and dissemination of technology to deliver economic, social, and political benefit.
Crunchbase describes BigFix as a “platform enabling real-time visibility and control of desktop, mobile, and server computers”. The software is mandatory for employee and medical student devices that store, transmit, or access personal information; otherwise, it is only strongly encouraged.
In response to Altman’s original post on Liberationtech, Rich Kulawiec contended that “backdooring end-user systems en masse provides one-stop shopping to an attacker”.
Kulawiec had previously penned a separate op-ed in which he argued that mass data retention by the government enables the very criminals it intends to catch by building up immense sets of valuable data. “Given the parade of security breaches … we see on a daily basis, it’s certain they’ll get it,” he wrote. “They’re not [building a weapon]. They’re building a target.” Though the circumstances are different, his concern remains the same– centralizing control of computers on the Stanford network may create a highly desirable target for potential hackers. If an attacker were to compromise the BigFix platform, every computer to which it has access would also potentially be compromised.
“These are valid concerns,” said Chief Information Security Officer Michael Duff in an interview with The Stanford Review. “In fact, we share the same concerns about any software that is broadly installed on user systems … as they introduce potential critical vulnerabilities.”
To address these matters, the University has limited administrator access to a small number of individuals, and all actions are logged locally and made accessible by the end users for review at any time. Furthermore, wherever possible there are technical controls to ensure that at least two individuals must be involved when making changes to production systems.
“We are not aware of a single instance when a Stanford employee has misused BigFix to invade the privacy of an individual user, nor are we aware of any breaches involving the BigFix infrastructure,” noted Duff. “BigFix has … protected Stanford devices from countless compromises over the past decade, most of which would threaten the personal privacy of the user. The benefits we have gained from the broad deployment of BigFix far outweigh the speculative possibility of IBM’s or Stanford’s using BigFix for purposes other than what is intended.”
The capabilities of Identity Finder (IDF) also concerned members of the Stanford community. “The IDF tool effectively means that the … administration continuously searches your personal laptop for any objectionable material,” said Altman.
Duff noted that the generated reports show only file paths of documents that appear to contain credit card or Social Security numbers and the last four digits of these numbers. These reports are then shared with the employee’s support team. However, the software does have the capability to search through all files on a system, which remains an issue for some members of the Stanford community.
According to Vice President of Business Affairs Randy Livingston, some IT units across the University have previously run IDF without prior notification to users. At the time, the administration requested that the IT groups notify users, but consent was not required. However, the University has since developed an applet to go along with IDF that requires user consent before running. “Our intent is to require such consent going forward as a matter of policy,” said Livingston.
There were also concerns that the IDF procedure is not only invasive but ineffective as well. “‘Locating PII on systems is not a solved problem in computing,” said Kulawiec. “For anyone to pretend otherwise is, at best, disingenuous.”
In response, Duff explained that IDF searches files for specific numerical patterns matching credit card and Social Security numbers, which can be easily identified by simple pattern matching. IDF also reduces the false positive rate by performing validation such as confirming a credit card number’s check digit, a method of distinguishing valid inputs from mistyped or otherwise incorrect ones.
Despite the outcry by some faculty and graduate students, other voiced support for the new policies. Liberationtech member Michele Chubirka noted that the provisions only apply to university employees, university-owned equipment, or personal equipment touching PII.
“They’re actually being pretty fair, by allowing BYOD at all for employees and a guest network for personal devices,” said Chubirka. “If you feel these measures could violate your privacy, then don’t use your personal equipment to access Stanford-classified PII/PHI. And don’t put your personal data on university-owned equipment.”
Faculty Senate Response
On Feb. 11, the Faculty Senate Steering Committee decided to form a special committee to assess and revise the mandates in response to these concerns. They also agreed to suspend more controversial aspects of the mandates, including Big Fix installation for systems that don’t not store or access PII or PHI and the use of Identity Finder except with specific consent of the individual whose files are being scanned. On May 15, the committee presented an interim report on its progress to the Faculty Senate.
The question of Stanford’s security and privacy policies transcends our campus. As a leader in both education and technology, this University has a pivotal role in setting the tone for debates on the balance between security and privacy. Student and faculty vigilance combined with the administration’s responsiveness bode well for the future of information technology at Stanford and beyond.