I do take issue with Brown's extremely harsh language in one of the linked articles where they threatened students with suspension...all for being in the local Providence area?!
> The C•CURE 9000 lets administrators view the complete historical building access history of a person.
> Combined, these logs paint a very accurate picture of your location on campus at any time.
But I did see the author's comments elsewhere in this thread[0], so there's no ill intent. This is an overall educational article.
Students faced a ternary choice prior to the Fall semester: 1. enroll as an on-campus (and thus live in a dorm), or 2. enroll as a remote student (and thus live at home), or 3. take a leave of absence (and thus live wherever)
Only students in that second bin were subject to the requirement stay out of Providence. A cynical take on this is that Brown has always had strict residency requirements for its students, and residency fees are far above the market rate in Providence. If students could simply mark themselves as "remote" to get out of paying dorm fees, I'm sure many would.
The other key bit of context is just how poor of a job Brown did at geolocating students. Dozens of students (some international!) received baseless notices of reprimand. The most compelling theory I've seen is that these students were using Brown's VPN, and were identified as on campus via IP geolocation.
That all being said, I think threatening suspension is a bit too harsh for what is probably a simple mistake for a bunch of 17-22 y/os
Legally computers can’t give consent even if it seems like they do so. This is why people can be convicted of hacking for going to public URL’s etc. Presumably, the same rules apply in the reverse where if people are unaware that’s what’s happening then it should be illegal to track them like this.
If anything it’s legally ok because as a student they may have unknowingly agreed to such somewhere.
https://blog.elevensoftware.com/how-mac-address-randomizatio...
[1] https://www.nytimes.com/interactive/2019/12/19/opinion/locat...
[1]: https://arstechnica.com/tech-policy/2020/08/secret-service-o...
[2]: https://www.wyden.senate.gov/news/press-releases/wyden-warre...
[3]: https://www.vice.com/en/article/m7agpa/irs-location-data-ven...
https://www.vice.com/en/article/nepxbz/i-gave-a-bounty-hunte...
They promised to stop, but I’m not sure I believe them.
https://krebsonsecurity.com/2018/05/tracking-firm-locationsm...
And, naturally, all the customers carefully read through the contract. /s
I don't even know what could be done to stop this stuff at this point? I think it's too far gone.
And safe. So now people think unions are icky and representatives that care about people rather than corporations are fantasy.
I was getting help debugging something (package manager barfing on the org’s wildcard MITM SSL cert) and the inanity of the tech scrolling through everything I’d done that day in such detail was spine chilling.
Deep packet inspection put everything from command line args to Google search terms at their fingertips. It felt grubby.
My org requires that I install their SSL cert which made the logs more detailed than Brown’s. That’s certainly a pretty high level of creepiness. But even without SSL DPI when the org has control over the network and at least one website using your identity then it’s trivial to correlate the application layer userid all the way down to your network access, including AP location.
If they outsource to Gmail or Outlook there’s usually still an org controlled single sign on that captures your identity.
I love the accessible way in which this report is written. While it’s specific to Brown it summarizes the generic surveillance patterns of many employers and education orgs. We all know these programs exist but it’s not until one experiences them first hand that one realizes how desperately creepy they are.
My school runs its IT department like it’s the 1990s from buildings constructed in the 1890s. That should give a frame of reference as to the progressiveness and pace of change I can reasonably expect. It’s salaried but I treat the job like a contracting gig: I provide my own equipment and network connection. It helps me sleep at night.
That’s more creepy than video cameras installed in toilets.
Although one should assume nowadays that a public network is the same thing as a public street, and that using the LAN of a school is the same thing as walking on its campus, it is indeed disturbing that some people within those org (and the org itself) have some of the possibilities as police has - except that police would need a judge and a mandate in some cases.
So as always there are pros and cons. Good uses and evil uses. In Europe, GDPR laws mandate that not every admin or user of the system have access to this type of data, and that's a good start IMO.
I'd be willing to bet a bundle Brown is just looking at building card access, or also possibly connection to an on-campus wifi network. In both cases I think any reasonable person would expect that Brown knew they were using these resources.
On campus, a LOT of students (perhaps the less technically adept ones) found it very surprising that Brown claimed to know where students were. This post was aimed primarily at those students, to clarify the technical mechanisms by which Brown located students.
I tried to speculate as little as possible. The rough set of indicators Brown took is straight from the University Spokesperson — I'm mostly just trying to fill in the technical details.
As for which of these mechanisms Brown is using most, the word on campus points mostly to IP geolocation.
I think that’s the reason for the tone.
There was a scandal back in 2010 where a high school in Philadelphia was accused of spying on kids through school-issued laptop webcams [1], which is arguably more egregious.
https://www.computerworld.com/article/2521075/pennsylvania-s...
In Australia, we did the same thing - a lot of universities went remote-only, so that we could eradicate the virus.
It seems to have succeeded - COVID-19 seems to be under control in Australia (along with many other countries like NZ, Vietnam, Singapore, Taiwan etc) - however, the US/Europe seems to have really struggled to get it under control. I hope they succeed soon.
I get the sense that a lot of people here (I assume from the US) are worried about their rights being infringed, as part of trying to protect people from getting sick. I'm not saying there doesn't need to be a discussion, or there isn't a balance - but it does come across as a bit churlish and petty, to try to openly defy public health measures in the name of defending human rights in the midst of a global pandemic.
I see it more that Americans were acting rationally and logically and parts of rest of the world were acting emotionally in panic and willing to stop thinking for themselves and put their trust in health officials.
I wore a mask when it was considered racist and selfish to do so (Jan). Months later the who changed their advice and everyone needed a mask.
The IFR would have to be extraordinarily high for me to agree to a 6 month lockdown like enacted in Victoria.
If it was over WiFi, I would be much more concerned
https://www.brown.edu/academics/college/degree/policies/leav...
I think the chances are good. If Brown is using IT records to determine academic standing, they're very much academic records.
I read once that someone at Stanford filed FERPA request for some innocuous reason and found in horror a log of every time he swiped into a building on campus.
That's concerning.
https://en.wikipedia.org/wiki/United_States_Foreign_Intellig...
they probably do really think like that. or at least claim to while their real reasoning is a private affair.
For swipe cards, tailgate into buildings. Brown's building access is so restrictive, and the experience of being locked out is so universal, that virtually all Brown students are conditioned to hold doors open for each other.
For cameras, there isn't as much as you can do to protect your privacy. The camera map included in the blog post displays OpenStreetMap data. It's very hard go anywhere near Brown without getting caught up in its camera dragnet. You usually cannot avoid cameras altogether, but you can minimize your exposure! And the one bright side of 2020, in this regard, is that it's normalized wearing a mask!
As much as I would like it to happen, I doubt some switch will flip after they exit university, which makes them no longer accept measures like this.
New account because I don’t typically leak this much personal information. Maybe that speaks towards my concern about this. All I can say is that I’m glad I graduated before facial recognition and other massive surveillance tools became mainstream.
Brown's security camera surveillance is about twenty years in the making. [1] There were student complaints as it was initially expanded, but it's long since faded into being just another part of campus life.
Its electronic building access control system is perhaps about thirty years in the making? It seems to have been rolled out without any controversy. I've trolled the Brown Daily Herald archives and have failed to find any sign that the community discussed the convenience/privacy tradeoff being made.
[0] https://library.brown.edu/info/hay/carberry
[1] https://twitter.com/tenellous/status/1323752004775223302
The lax attitude surrounding privacy overreach like this is paving the way for a future surveillance state as described by this author. The "they're a private entity and they can do whatever they want" argument is getting old quickly. Needs to be nipped in the bud.
That said, the obsessive desire for surveillance should be stopped. Best day to start with that would be yesterday. People are getting crazy, which reduces overall security.
But I do agree that this case isn't "outrageous," per se. It's just a reminder of what data they have on students and the power they have over them.
