ICPL – Oren Sreebny

[ICPL 2008} Politics 101: When, Why, and How to Talk to Congress

Steve Johnson, VP of Gov’t Affairs at Cornell. Find a hook if you can – hook on to something bigger. Expected themes in the the next congress and administration: sustainability, the economy, global status of the US, helping the middle class, access/cost of higher education, graduate education, healthcare. Realities in the next congress – new … Continue reading “[ICPL 2008} Politics 101: When, Why, and How to Talk to Congress”

Steve Johnson, VP of Gov’t Affairs at Cornell.

Find a hook if you can – hook on to something bigger.

Expected themes in the the next congress and administration: sustainability, the economy, global status of the US, helping the middle class, access/cost of higher education, graduate education, healthcare.

Realities in the next congress – new administration and congress, new and recycled staff (keep your rolodexes and reach out to people), hope springs eternal, state governments will be influential.

Taking stock of factors influencing your approach and audience. Some people will be turned off because what you’re involved in is “political” or by the partisan nature of the debate – don’t fall into the trap of thinking of either party as good or bad. Don’t fall into the excuse of being from a Red State or a Blue State. Think about the politics of your own state. How do you navigate the politics of your university – find your government relations representative.

Your message – what do you propose? Can you get it into a 30 second pitch in an elevator? You want to be able to say your objective in that time. Find your campus communication person – people don’t like jargon – speak English. Who are your allies? Keep your friends close and your enemies closer – make sure you’re talking to the other side – find out what they’re doing, who they’re talking to, where they’re going, what they have to lose. Use what media you can – the campus paper, the small weekly papers – your politicos read those or have someone who does.

What do you propose – frame it. Does it improve competition? We’re going into a down economy – hard to sell spending. Investment for the future, Innovation, Privacy, and Security are good.

Who are your allies? There’s more than Educause. In Higher ed, tbe Big 6: ACE, AAU, NASULGC (they’re in every state), ASCUE, NAICU – figure out where your message goes and get it there – they won’t pass the words on among themselves. Remember that politics is popilist, not elite. Need to reach out broadly. Others: NACUBO, Big Ten, Ivy League, Associationof American Medical Colleges, Educause.

How can you sue media to your advantage? Talk to your campus communications people. Who might oppose your ideas? How can you neutralize them?

It’s a game – you don’t like games? Don’t do it. Focus on your goal, but avoid partisan battles and be flexible. Seek your partners carefully – they can be short term and you’re not wedded to them on every issue. Keep it simple, and whatever you do, don’t make enemies – treat it professionally and collegially – the person you want to kill today might be your biggest ally tomorrow.

Jacqueline Powers – a few simple suggestions.

Being a lobbyist is a lot like being a sales person – you have to sell people on your positions. It’s also like being a journalist – have to know a little about a whole huge range of issues.

Lobbyists depend on experts – and legislators don’t want to hear from lobbyists, but want to hear from constituents and experts.

The most important thing to remember is if you need to contact your legislator professionally contact your university lobbyist before. It might keep you from jeopardizing the University’s priorities and other efforts. Congressional offices are becoming more formal in wanting universities to order their priorities and desires.

In order to lobby effectively there are some simple things you need to know. Don’t wear another university’s t-shirt. Bring a stack of business cards – they’re like an entry card in congressional offices and make it easier for the staffers to remember who you are during the conversation.

Lobbying is all about building relationships – be nice, smile. Do your homework – know who you’re going to see, who their staff is, what they like and dislike, ideologies and hobbies. You don’t want to put your foot in your mouth. You may hate the person’s politics and rhetoric – but he’s got something you need. You most likely won’t be meeting with the legislator, but with staff people – treat them with respect, as they’ll be assessing your message and if they like you they may take it to the legislator – treat them just like they are the person they represent. Start by telling the staff that you want to thank the congress person for… anything. If you can’t think of anything, thank them for their strong support of higher education (even if it’s somewhat of an exaggeration). Keep in mind you’ll only get 15-20 minutes with a staffer – so know what you want to say and say it succinctly in plain English – no jargon, no acronyms. Don’t assume they know the issues. Chances are the staffer will be under 25 years old and in the job less than six months – you always have to teach and train the new people all over again. They’re rarely experts in anything other than the care and feeding of their politician.

If you’re looking for congressional support, you have to state the positive practical outcomes in broad terms, so don’t be afraid to engage in some hyperbole and point to impacts and societal benefits.

Make sure you bring along a handout explaining in one page your project – because five minutes after you’re out the door that person won’t recall your name or what you were talking about. Simple answers to simple questions. Headings like: What is the problem? What have colleges and universities done already? What should Congress do? etc. Like a little tutorial. Here’s an example from Cornell.

Sincerely thank them for their time, and remind them to call or email with questions. Send an email follow-up with another thanks and contact info.

John Vaughn

When we’re at our best, many universities are saying the same thing. AAU is a Presidential association, but the most active are the governmental relations people, who meet monthly in DC to coordinate activities, which is really helpful. It’s important to step back from what you want to say and think about who you’re talking to and figure out how to express it in ways that help society, and help the person you’re talking to. We’re public purpose institutions that do good things for society, so if we can convey how particular efforts will benefit people in that congressperson’s district, state, and this county, our message will come across. Politics is very often the art of compromise – important to determine when we can compromise and when we can’t. Often when we have a clear objective we’re working against someone else’s objective – the best outcome is frequently a compromise. There are some issues where we can’t accept compromise – it’s important to understand which those are. Getting the involvement of presidents and chancellors is critical on those issues – they’re the best salespeople. Members of Congress know rank – and they have good contacts with the presidents and chancellors.

Every constituency on your campus has an association in Washington. On research issues AAU works with NASULGC and AAMC. On intellectual property issues they work with ARL, Educause on IT issues.

Two points on P2P that he might disagree with Gigi’s talk from last night – he thinks the outcome language in the final bill is not anywhere near as bad as the original Reid ammendment because it doesn’t authorize the Dept of Education to be an agent of the entertainment industry, which would’ve been unacceptable. The outcome does indeed stink – the federal government should not be getting involved in this. The Higher Education Act is over 1100 pages long. There were a number of fundamentally unacceptable provisions in it early on – federalizing accreditation, control of teacher education curricula, tuition price controls, etc. P2P got more attention (thanks to Educause) than it otherwise would’ve, but there are other issues for higher ed that are important too. Having connections across Washington higher ed associations allow us to work the issues pretty well.

In response to a question, John notes that in many disciplines faculty have more connection with their disciplinary societies on national issues than they do with their university, and the relationship between the national higher-ed institutions and those disciplinary institutions is important.

In response to a question from Tracy, all three panelists agree that the autonomy of higher education is in danger. John thinks it’s because the public investment in student funding and wanting to monitor results of that investment are driving that. Jackie thinks it’s because of the high cost of access. Steve thinks that it’s the cost issues, the public money, and we’re really not autonomous anyway, if you look at the statutes.

[ICPL 2008] Self-Snooping – monitoring your networks

H. Morrow Long is an Info security guy from Yale. Have decided not to scan for sensitive data on the network, but do scan for computers looking for sensitive info. Had two major data incidents. Had a large federal contracts investigation, and one large data breach. Now scan administrative desktops, and require all faculty and … Continue reading “[ICPL 2008] Self-Snooping – monitoring your networks”

H. Morrow Long is an Info security guy from Yale.

Have decided not to scan for sensitive data on the network, but do scan for computers looking for sensitive info.

Had two major data incidents.

Had a large federal contracts investigation, and one large data breach.

Now scan administrative desktops, and require all faculty and staff to scan data on their machines, including laptops. Using IdentityFinder on WIndows, and some open source stuff on MacOS and Linux. Have evaluated several enterprise products: Tablus, Vontu.

Spent first half of 2006 doing data breach planning, which led them to realize that they had to have a data classification program. They have an agreement with the Yale Police to report to them every stolen laptop – started to see more stolen laptops. In beginning of 2007 began a program to do PGP whole disk encryption. In July of 2007 two laptops stolen from Dean’s Office – they had backups, which they scanned for sensitive data (Cornell Spider, Texas SENF program, Va Tech’s

python program). They found 5,000 SSNs on each PC’s backup.

“The plan is fine until the shooting starts” – Patton.

Once you know what’s been lost, then you have to act on it. Criteria for scanning compromised computers – reasonable belief that data may have been exposed – evidence that somebody was on the computer for a length of time, or there’s evidence of data transfer, or if there’s belief that there may have been confidential data on the machine – don’t do scans for every time there’s a virus.

Yale complted an SSN elimination project in 2005 – so why were SSN’s on those stolen machines? Course and student lists in email and spreadsheets which were old and not needed. Discovered that almost everybody had at least one SSN on their machine – their own.

Thief stayed behind in office – stole two laptops. Police caught him the next night, but didn’t recover the laptops. Computers were likely stolen for quick sale, not data. Laptops had BIOS and OS passwords, and 1 had disk interlock password. But Connecticut law requires notification. Learned later that notification is really only required if there’s a name associated with the SSN.

Set up a call center for help, staffed by people in the Dean’s office. Crafted a communications plan, with several letters targeted at different people. Immediately encrypted all the laptops in the Dean’s Office iwth PGP Whole Disk Encryption.

One alum claimed ID theft and contacted the AG and the media. THe AG wanted to know why Yale did not offer credit protection plan. Hired ID Analytics to check the SSN #s for probability of compromise.

They created tools for scanning (Windows only at first), and got the General Counsel to send out letters to specified staff lettint them know that their machines were going to be scanned. Getting users to remediate data is the hard part – confusion, false positives, etc.

Policy for files with SSNs: 1. Remove 2. Move 3. De-identify 4. Encrypt

They use their training management system to record whether people have completed and remediated from their scans.

David Escalanted – Director of Security, Boston College

March 2005 – major data breach that required 100k + letters to alumni.

Realized that users don’t seem to mind people looking at their email for viruses and spam, so should be able to scan for PII. They also started collecting netflow data and Snort IDS. PII finder (Fidelis) “catches stupid people”, not hackers. They didn’t notify the community that they’re running these tools – if it’s legit to look for bad stuff coming in, they figure it’s legit to look for it going out. What happens to offenders? For PII, a VP or Dean is frequently involved.

When the White House invited the hockey team to visit, they wanted a list of all the visitors with their SSN #s. Emailed. They caught that going over the wire.

Encryption kills scanning on the wire.

Shirley Payne is the Directory of IT Security and Policy at the University of Virginia

Considerations for general policy decisions: Consistency with existing policies and norms (especially the physical world ones); compliance with or in consideration of laws.

UVa is sort of the opposite of BU: Not generally monitoring content, blocking websites, or scanning devices without permission. There are, of course some exceptions, like traffic monitoring for virus/worms signatures, etc.

[ICPL 2008] Software Patents for Higher Ed – Bruce Wieder

Bruce is an attorney at DowLohnes. Copyrights are intended to protect the expression of an idea, while patents are meant to protect the idea itself. Patent covers process, machine, manufature, or composition of matter. What you invent has to be new, useful, and nonobvious. Supreme Court said “phenomena of nature…mental processes, and abstract intellectual concepts … Continue reading “[ICPL 2008] Software Patents for Higher Ed – Bruce Wieder”

Bruce is an attorney at DowLohnes.

Copyrights are intended to protect the expression of an idea, while patents are meant to protect the idea itself.

Patent covers process, machine, manufature, or composition of matter. What you invent has to be new, useful, and nonobvious.

Supreme Court said “phenomena of nature…mental processes, and abstract intellectual concepts are not patentable”

In 1998 and 1999 the Federal Circuit ruled that business processes are patentable.

Typically patent examiners look at previously issued patents to establish prior art – but if new things are patentable, there won’t be previous patents.

In September, the court ruled (Nuijten) that a signal was not a process or machine – court said that articles of manufacture are “tangible articles or commodities. A transient eletrical or electircal transmission does not fit within that definition.” Appeal to Supreme Court is pending.

In re Comiskey the court rule that patent “does not allow patents on … systems that depend for thei r operation on human intelligence alone…”

Blackboard patent was issued in 2006. Claim 36 of that patent claim has the relevant issues. Blackboard sued Desire2Learn for infringement. In general, it’s easier to prove infringement than invalidity. In Feb 2008 the jury in Lufkin Texas found that claims 36-38 had not been proven invalid and had been proven infringed. Both parties are appealing. Desire2Learn says it migrated all users to a new version that doesn’t infringe (a “design-around”). Blackboard asked to have Desire2Learn in contempt, which the court denied (which is not the same as a finding of no infringement).

Meanwhile, the Software Freedom Law Center and Desire2Learn filed requests for reexamination of the patent claims. The PTO ordered reexamination. With reexamination there is no assumption of validity. On March 25 the PTO rejected all of the claims, and blackboard filed its response in May, adding new claims. BB petitioned the PTO to suspend reexamination pending final decision from the COurt of Appeals on the suit,, which the Software Freedom Law Center and Desire2Learn opposed – hasn’t been ruled on yet.

Looking at at least a year before we get a ruling on the suit, and two years before we get a ruling on the reexamination.

Institute for Computer Policy and Law

I’m here in beautiful Ithaca (not kidding) for the Institute for Computer Policy and Law, where I’m speaking later today. Steve Worona is introducing the Institute. There’s going to be a role play tomorrow where participants are asked to play either an entertainment industry exec, a campus CIO, or a student. The attendees are mostly … Continue reading “Institute for Computer Policy and Law”

The attendees are mostly either campus attorneys or IT policy people. During introductions people are being aked to name the biggest IT policy issue at their institution – many are talking about having consistently enforced policies and many are mentioning data management policies.