Privacy issues dominate computer committee discussion

By MARTY LEVINE

When you go through multifactor authentication to sign in to Pitt’s email system or other apps, there is now a small but significant addition to the opening screen:  a checkbox that allows you to stay connected for 12 hours without being automatically logged off.

The change from the previous automatic eight-hour limit, Pitt IT’s Deputy Chief Information Officer Adam Hobaugh told the Senate’s Computing and Information Technology Committee on Nov. 18, was prompted by user complaints about having to log back in too often and was instituted several weeks ago.

Flex@Pitt technology will see additions and improvements, he also announced, with more video to show students in classes, more audio capability for broadcasting faculty voices and new white boards added to about 40 classrooms for next semester. That includes several larger rooms in University buildings, such as Alumni Hall, in response to faculty requests.

The migration of online computer-file storage from Box to OneDrive has commenced for the 60 largest Box users and will be completed over the next several weeks, Hobaugh added, while the remaining Box users will be able to move their stored materials from January through June 2021. Expect to see further news about this process, Hobaugh said: “I think June gives us plenty of time to move everyone.”

Committee members spent much of the meeting discussing how new privacy issues should be included in two policies now under review through Pitt’s policy revision process: the Computer Access and Use policy and the University Network policy.

The discussion was prompted by the concerns of two Pitt faculty members who contacted the committee, at least one in reaction to the “acceptable use” policy that displayed on new Pitt computer equipment he was using.

Acceptable use policies, which usually say that the computer owner has the right to all data on their equipment and network, are standard on business-owned computers, and the language of Pitt’s policy has not been changed recently. But Pitt faculty, staff and students are increasingly using their own devices, from cell phones to laptops, and switching among non-Pitt and Pitt networks, while using a mix of Pitt and non-Pitt apps with various degrees of Pitt licensing and ownership. How can privacy be assured among all of these factors?

Computer committee chair Michael Spring suggested that the committee consider what rights the University should have to data and communications that pass through its devices and networks, and what rights its employees should have to privacy of that data and communications on their various devices, networks and apps. How should University policies be changed to reflect those rights, he asked, and how should the University community be made aware of any such changes?

“Should faculty be given an assurance that the data is safe?” he asked.

Hobaugh told the committee that data that passes through personal cellphones is generally encrypted by the app companies before such data goes through the University’s network.

“Even if we wanted to capture that data, it would be worthless,” he said.

The University is not be able to see your Gmail account, for instance, even when emails from that service go through the University’s network. Not only is Gmail encrypted, he said, but “we don’t necessarily have the technology to look back a month” for specific network traffic, and in that case only the IP addresses of sender and recipient would be accessible.

Ralph Roskies, head of the Center for Research Computing, noted that such addresses might be relevant to an intellectual property dispute between the University and a faculty member, but Hobaugh assured that, “We don’t act as Big Brother. We have no intention of acting as Big Brother.”

Chief Information Officer Mark Henderson added that “we are not staffed, nor will we ever be staffed,” to check all the data passing through the network. “We have to have some sort of event that triggers general counsel” to tell Pitt IT to look into the data.

“If there was some sort of activity deemed to be inappropriate, general counsel would ask us to get involved,” he added. “There were incidents where there wasn’t much we could do” even when asked to investigate in the past. Should the FBI or police approach Pitt IT for information, he said, Henderson would direct them to the general counsel’s office first.

“I have a lot of faith in what you’re saying,” Spring responded, but the University should still aim to tell faculty and staff that, short of a legal request, Pitt doesn’t look at their data.

“We’re in a period of frequent change in a lot of places and I fear we’re not doing a good job of communications on a lot of things” — including the positive changes Pitt IT has already brought to the University. “All these things that are critical to using our infrastructure are in flux.” Can we get assurances that “that communication is considered sacrosanct?” he said.

Spring noted that, as part of Pitt’s agreement with Microsoft, there is now artificial intelligence perusing our Pitt emails to tell us how productive we’re being. He was surprised recently to get a message reminding him that he had promised to send a colleague something — had he done it, the message asked?

“And there is real fear … that there is AI reading your email,” Spring said. “The question is, can we control it?”

Marty Levine is a staff writer for the University Times. Reach him at martyl@pitt.edu or 412-758-4859.

 

Have a story idea or news to share? Share it with the University Times.

Follow the University Times on Twitter and Facebook.