[CSG Winter 2010] Shared Services Working Group Update

Provide a shared, binding framework … seeking to aggregate demand for or provide shared IT services across multiple institutions.

Examples: Sourcing from a commercial provider – storage, Exchange service, VMs, etc. Provisioning amongst ourselves – bilateral, multiuniversity, or one institution providing service for others.

Benefits – Economies of scale, increased efficiency through standardization, enhancing collaboration and sharing, streamlined contracting.

Talked with NACUA about potential legal issues – antitrust, issues across publics and privates, software code escrow, liability/indemnity, state law issues, tax issues, personnel rules, intellectual prperty rights distribution, establishing enforceable service-level. This was discussed at NACUA meeting in July. Subset of CSG working group working on an RFP with folks from NACUA. Not focusing on technical aspects, but on shared aggregation. Would have an appended SLA to talk about service levels. Test cases – outsourcing faculty/staff email, shared data center space. For fac/staff email, CSG reps articulated technical issues and aligned existing contractual/RFP statements with those, NACUA reps worked up strawman RFP this past Monday.

Issues outlined were around data – key one being ownership. Security, retention/disposal to comply with statutes, integrity of data, privacy and confidentiality, integration and operational issues (e.g. integration with existing campus/federated IAM), supporting aggregation and coordination of demand were also issues.

Data Center Sharing – just starting to work on this example. Three aspects have come up in discussions so far – I want to use your data center, Need additional services, Fully managed services

Next steps: finalizing RFP, flesh out data center use case, articulate the value proposition for vendors.

Asbed talks about the arrangements USC has made with Clemson to share data center space. Provides off-site storage.


[FTC Town Hall] Digital Rights Management FTC Town Hall – Panel 3: DRM In Action

J. Alexander Halderman – Prof of electrical engineering and CS at University of Michigan

FTC has a role to play in easing burden of DRM. Helping consumers understand what they’re buying, and helping them get what they pay for. Consumers are beginning to expect that products containing DRM will harm them, and that’s not good for either consumers or the content industries.

He researches security of DRM systems. At one time research was primarily around security of content, but there’s an emerging area of collateral damage caused by DRM measures. DRM has a tendency to create security risks beyond that presented by typical consumer software. Brings up the Sony rootkit, and a videogame DRM system called Safe Disk, which had a security bug and the software had kernel-level access to Windows systems. Automatic updates without notification, “phoning home” without notification, are also issues that reduce the users’ understanding and control.

Independent review is necessary to really vet security of programs, but DRM makers hide behind the DMCA – he’s been threatened with legal action against some of his research. He’d like to propose that DRM produces and the FTC to pursue measures to facilitate independent security review of DRM issues by adopting a “mere notice” provision of testing rather than asking permission as is required under current DMCA provisions. Also proposes notice to consumers of risky behavior like running kernel-level code. Also wants to propose technical transparency around disclosure of technical details of DRM systems on manufacturer’s web sites.

Patrick Ross – Exec. Director, Copyright Alliance

Creators are thrilled these days when people are actually willing to pay for content.

Mandatory labeling isn’t the answer – gives example of long information handouts that come with drug prescriptions that don’t get read.

Christpher Soghoian – Student Fellow, Berkman Center

Speaking to longevity issues – some content needs to call home to authenticate, either on use or periodically. Sometimes services go under, which prevents lawful access to content that’s been paid for. So far the large companies that have stopped services (Microsoft, Yahoo, Google, Walmart) have been able to provide for refunds or continued services upon outcry, but that might not be true of smaller operations. Consumer cannot predict failures – that’s why we have regulation. Education not sufficient in this area, so proposing action for FTC – force DRM providers to provide source code and authentication keys to be held in escrow by the FTC. “Obviously, this is a proposal that’s a little bit out there”. In the music market we’ve seen DRM fail. But the same companies are moving ahead with DRM in other spaces. Because companies won’t actually act rationally, we need government action.

Debbie Rose – Association for Competitive Technology

Her members are mostly small inventors and innovators. Interested in knowing what the rules are and how they can use them to make cool products. The message is the rules of the road are not that prohibitive and DMCA and DRM are not roadblocks to innovation. Recently written an “innovator’s guide to the DMCA” (not yet published). DMCA has two prohibitions with a host of exceptions – key is it’s a working mechanism. Access control technologies are being used in lots of fields besides entertainment – privacy protection for medical records, as an example.

Rashmi Rangnath – Staff Attorney, Public Knowledge

Harms caused by lack of interoperability – affects both consumers and competition. An example is older BluRay disks not playing at full resolution on older HDTVs because of copy protection technology.

Lock-in – example is iPods linked to iTunes – with FairPlay you couldn’t use the iTunes Music Store with players that weren’t Apple iPods, harming competition in the device market. FTC should investigate lock-in and consider it an unfair trade practice.

Preventing lawful use – DRM on DVDs prevents classroom use of clips. Professors in media studies departments got an exception in the rulemaking process. But consumers have to re-apply every three years and exemptions to not extend to traficking, so if you’re not technically savvy you can’t circumvent because nobody can send you the tools. We should amend the DMCA to allow circumvention for lawful uses, but in the meantime we should grant the Copyright Office more authority to grant wider exceptions.

Bo Anderson – President and CEO, Entertainment Merchants Association

Retailers are at the pivot point of commerce in entertainment goods, delivering product into hands of consumers. Have a brief but costly opportunity to help educate consumers, and get direct feedback from customers when they are displeased – the first to hear when trust is broken. Rebuilding broken trust is more expensive than keeping it in the first place. Retailers are concerned about the use of DRM when it abridges consumers rights of use, transferability, and rights of privacy. They’re concerned whenever DRM is used to require consumers to have a business relationship with the content providers as a condition of use.

When DRM is used to facilitate broad dissemination by facilitating the licensing of exclusive rights, it should be encouraged. When it’s used to restrict, burden or control dissemination beyond limited exclusive rights, it should be discouraged.

A fairly inane, though heated, discussion on business models, DRM, and consumer rights breaks out at the end.

[FTC Town Hall] Digital Rights Management FTC Town Hall – Second panel – legal landscape

The panel is moderated by Carl Settlemyer, Attorney with the Division of Advertising Practices, FTC, who gives a 3 minute overview of US copyright law (whew!).

Rob Kasunic – Principal Legal Advisor, U.S. Copyright Office. The DMCA. There’s always been a symbiotic relationship between technology and copyright laws.

He draws a link between DRM and access controls on files in operating systems. These were just technological methods, without any legal backing. Traditionally, copyright law was supported by practical constraints on physical copying, but with technology the law may not be enough to protect works.

Congress determined that the solution was to erect legal support for technological self-help measures used ot protect copyrighted works distributed in digital form. The current models of streaming subscription services are an example of models made possible by these protections.

Section 1201 created prohibitions for two activities – circumvention of technological measures (a1), and distribution of devices that circumvent measures (a2). No prohibition on fair use and other traiditonal limitations of the exclusive right of copyright – free to circumvent to preserve legitimate use.

Section 1201 rulemaking – Congress created a triennial rulemaking process as a “fail-safe” mechanism- carried out by Copyright OFfice. Library of Congress may create an exemption for “particular classes of works” for the ensuing three-year period. http://www.copyright.gov/1201/

Steven Metalitz – Attorney – Mitchell Sliberberg and Kunpp (Counsel to Pubklishers, Software Alliance, Entertainment Software Association, MPAA, and RIAA) – use of access controls has encouraged more access by more people. (?) Offers more choices to consumers. As DRM evolves, choices broaden. DRM has encouraged rights-holders to make more content available. DRM as a “key enabling technology” that should be encouraged. Copyright owners recognize the issue of disclosure to consumers and are experimenting with different methods to do so. Content companies have a great incentive to match the expectations of consumers to make their businesses live.

Corynne McSherry – Electronic Frontier Foundation

Copyright is not just about protecting the rights of owners to control creative works – it’s a balance of the rights of content owners and the public. Unfortunately DRM can upset that balance in ways that are harmful to consumers and innovation.

User rights – Fair Use – protects basic personal uses. Reasonable consumer expectations include personal and backup copies, time-shifting, space-shifting, etc. Consumers also expect innovation – new tools and uses, e.g. SlingBox, BnetD, Real DVD. Consumers don’t expect to have to repurchase content every time a new technology comes along. Content owners use the anti-circumvention provisions of the DMCA to shut down innovation. RealDVD tried to play by the rules in licensing DVD technology to make backup copies of DVDs, but they were sued and are now under a restraining order.

There’s also “first sale rights” What about content in the Kindle?

Consumers feel abandoned when services shut down – e.g. Yahoo! Music, MSN Music, etc.

The rest of the story – EULAs – Contract law.

We need disclosures in advance, not pop-ups after you purchase. Disclosures won’t solve the problems with DRM, though.

Justin Hughes – Cardozo School of Law, Yeshiva University

Ten years after the DMCA, we have a world full of digital locks, but is not characterized by digital lockdowns. We’re now in a better place to understand the impacts of DRM. When the DMCA was drafted, there wasn’t much discussion at all about disclosure. Are we here to engage in substantive regulation of the marketplace, or regulation of information? We do have problems of full and adequate disclosure. But we also have substantive issues – securing consumer rights.

DMCA as an attempt at substantive regulation. If your regulation is sufficiently light, it becomes part of the background environment. That’s been true of the DMCA. We might have ended up in a technological arms race, but we don’t live in that world because of the DMCA. What the regulation did not do was to attempt to determine the relation between copyright and contract law. Other countries have provided for capacity to circumvent the DRM in certain circumstances, but that would not be easy in the US.

We could do more on information regulation, but we just don’t know enough. Government agencies that regulate don’t do empirical research about consumer expectations. But the threat of regulation can help keep content owners doing the right things.

Salil Mehra – Beasley School of Law, Temple University

Common Law Fraud – making an intentional, material misrepresentation to another with knowledge of its falsity, for the purpose of inducing the other person to act. The other person relies upon such misrepresentation with resulting injury.

Something like fraud happens with the way DRM is implemented.

Digital Fraud – differences? Don’t usually see Affirmative misrepresentation, but rather concealment – things that appear whole, but are not. An unfair surprise leading consumers to get less than they bargain for. Technology provides new ways of giving people less than they thought they paid for. People buy digital content but don’t realize what they’re buying.

Nicolas Jondet – PhD Candidate, Edinburg Law School

Can we be informed by what’s happening in French law?

DVD Region coding is an issue outside the US. Another issue is videogames. There’s been a lot of litigation in France around DRM on music CDs, where it was introduced early. The most important issue is private copying – there’s a private copy provision in France. You pay a tax on blank media that is supposed to compensate, and consumers expect they’re allowed to make a copy.

French law wasn’t passed until 2006.

Court held in 2005 that DRM CD sold by BMI was defective because it wouldn’t play on all players. But a court held that Warner was ok having disclosed that a CD wouldn’t play on all players. Under French law (according to a court) if you use the CD logo it must play on all players or else it’s a deceptive practice. Sony was found guilty of deceptive practices for Sony Connect service, because they didn’t disclose that you could only purchase content with a Sony device.

New legal requirement that DRM can’t prevent copyright protections and there must be interoperability between DRM schemes. No cases brought yet, but it has had an impact – Apple called it “state-sponsored piracy”, and US thought it was in breach of WTO. But a few months later, Apple changed to DRM-free music.

Carl asks about advertising – does ad language conflict with terms and conditions when they claim you can “own” or “buy” content? Steve – if it’s a sale then first sale doctrine apply, but if it’s a license, then it depends on the terms of the license. But first sale applies to the copy you purchase, not the copy you’ve made online. DRM may help provide a solution to this problem – could enable someone to make a copy, transfer it to someone else, and then no longer have access to the first copy. Corynne – you don’t need DRM to answer this problem. Just have the consumer delete the original copy. (audience mutters, “yeah, right”). The distinction between a sale and a license has been an important one – and if there’s advertising implying you’re owning or buying, then it’s deceptive. Justin – do not assume that the physical world analogies translate to the online world. Maybe we shouldn’t be using words like own or buy.

In response to a question about whether it’s fair to use terms like “buy” and “sale” to transactions that depend on the continued operation of authentication servers, Steve asks whether people trying to innovate should be held hostage to having to continue business in perpetuity. That seems disingenuous to me – people should feel free to try those business models, but make it clear that it’s a content rental or loan or something.

[ICPL 2008} Politics 101: When, Why, and How to Talk to Congress

Steve Johnson, VP of Gov’t Affairs at Cornell. Find a hook if you can – hook on to something bigger. Expected themes in the the next congress and administration: sustainability, the economy, global status of the US, helping the middle class, access/cost of higher education, graduate education, healthcare. Realities in the next congress – new … Continue reading “[ICPL 2008} Politics 101: When, Why, and How to Talk to Congress”

Steve Johnson, VP of Gov’t Affairs at Cornell.

Find a hook if you can – hook on to something bigger.

Expected themes in the the next congress and administration: sustainability, the economy, global status of the US, helping the middle class, access/cost of higher education, graduate education, healthcare.

Realities in the next congress – new administration and congress, new and recycled staff (keep your rolodexes and reach out to people), hope springs eternal, state governments will be influential.

Taking stock of factors influencing your approach and audience. Some people will be turned off because what you’re involved in is “political” or by the partisan nature of the debate – don’t fall into the trap of thinking of either party as good or bad. Don’t fall into the excuse of being from a Red State or a Blue State. Think about the politics of your own state. How do you navigate the politics of your university – find your government relations representative.

Your message – what do you propose? Can you get it into a 30 second pitch in an elevator? You want to be able to say your objective in that time. Find your campus communication person – people don’t like jargon – speak English. Who are your allies? Keep your friends close and your enemies closer – make sure you’re talking to the other side – find out what they’re doing, who they’re talking to, where they’re going, what they have to lose. Use what media you can – the campus paper, the small weekly papers – your politicos read those or have someone who does.

What do you propose – frame it. Does it improve competition? We’re going into a down economy – hard to sell spending. Investment for the future, Innovation, Privacy, and Security are good.

Who are your allies? There’s more than Educause. In Higher ed, tbe Big 6: ACE, AAU, NASULGC (they’re in every state), ASCUE, NAICU – figure out where your message goes and get it there – they won’t pass the words on among themselves. Remember that politics is popilist, not elite. Need to reach out broadly. Others: NACUBO, Big Ten, Ivy League, Associationof American Medical Colleges, Educause.

How can you sue media to your advantage? Talk to your campus communications people. Who might oppose your ideas? How can you neutralize them?

It’s a game – you don’t like games? Don’t do it. Focus on your goal, but avoid partisan battles and be flexible. Seek your partners carefully – they can be short term and you’re not wedded to them on every issue. Keep it simple, and whatever you do, don’t make enemies – treat it professionally and collegially – the person you want to kill today might be your biggest ally tomorrow.

Jacqueline Powers – a few simple suggestions.

Being a lobbyist is a lot like being a sales person – you have to sell people on your positions. It’s also like being a journalist – have to know a little about a whole huge range of issues.

Lobbyists depend on experts – and legislators don’t want to hear from lobbyists, but want to hear from constituents and experts.

The most important thing to remember is if you need to contact your legislator professionally contact your university lobbyist before. It might keep you from jeopardizing the University’s priorities and other efforts. Congressional offices are becoming more formal in wanting universities to order their priorities and desires.

In order to lobby effectively there are some simple things you need to know. Don’t wear another university’s t-shirt. Bring a stack of business cards – they’re like an entry card in congressional offices and make it easier for the staffers to remember who you are during the conversation.

Lobbying is all about building relationships – be nice, smile. Do your homework – know who you’re going to see, who their staff is, what they like and dislike, ideologies and hobbies. You don’t want to put your foot in your mouth. You may hate the person’s politics and rhetoric – but he’s got something you need. You most likely won’t be meeting with the legislator, but with staff people – treat them with respect, as they’ll be assessing your message and if they like you they may take it to the legislator – treat them just like they are the person they represent. Start by telling the staff that you want to thank the congress person for… anything. If you can’t think of anything, thank them for their strong support of higher education (even if it’s somewhat of an exaggeration). Keep in mind you’ll only get 15-20 minutes with a staffer – so know what you want to say and say it succinctly in plain English – no jargon, no acronyms. Don’t assume they know the issues. Chances are the staffer will be under 25 years old and in the job less than six months – you always have to teach and train the new people all over again. They’re rarely experts in anything other than the care and feeding of their politician.

If you’re looking for congressional support, you have to state the positive practical outcomes in broad terms, so don’t be afraid to engage in some hyperbole and point to impacts and societal benefits.

Make sure you bring along a handout explaining in one page your project – because five minutes after you’re out the door that person won’t recall your name or what you were talking about. Simple answers to simple questions. Headings like: What is the problem? What have colleges and universities done already? What should Congress do? etc. Like a little tutorial. Here’s an example from Cornell.

Sincerely thank them for their time, and remind them to call or email with questions. Send an email follow-up with another thanks and contact info.

John Vaughn

When we’re at our best, many universities are saying the same thing. AAU is a Presidential association, but the most active are the governmental relations people, who meet monthly in DC to coordinate activities, which is really helpful. It’s important to step back from what you want to say and think about who you’re talking to and figure out how to express it in ways that help society, and help the person you’re talking to. We’re public purpose institutions that do good things for society, so if we can convey how particular efforts will benefit people in that congressperson’s district, state, and this county, our message will come across. Politics is very often the art of compromise – important to determine when we can compromise and when we can’t. Often when we have a clear objective we’re working against someone else’s objective – the best outcome is frequently a compromise. There are some issues where we can’t accept compromise – it’s important to understand which those are. Getting the involvement of presidents and chancellors is critical on those issues – they’re the best salespeople. Members of Congress know rank – and they have good contacts with the presidents and chancellors.

Every constituency on your campus has an association in Washington. On research issues AAU works with NASULGC and AAMC. On intellectual property issues they work with ARL, Educause on IT issues.

Two points on P2P that he might disagree with Gigi’s talk from last night – he thinks the outcome language in the final bill is not anywhere near as bad as the original Reid ammendment because it doesn’t authorize the Dept of Education to be an agent of the entertainment industry, which would’ve been unacceptable. The outcome does indeed stink – the federal government should not be getting involved in this. The Higher Education Act is over 1100 pages long. There were a number of fundamentally unacceptable provisions in it early on – federalizing accreditation, control of teacher education curricula, tuition price controls, etc. P2P got more attention (thanks to Educause) than it otherwise would’ve, but there are other issues for higher ed that are important too. Having connections across Washington higher ed associations allow us to work the issues pretty well.

In response to a question, John notes that in many disciplines faculty have more connection with their disciplinary societies on national issues than they do with their university, and the relationship between the national higher-ed institutions and those disciplinary institutions is important.

In response to a question from Tracy, all three panelists agree that the autonomy of higher education is in danger. John thinks it’s because the public investment in student funding and wanting to monitor results of that investment are driving that. Jackie thinks it’s because of the high cost of access. Steve thinks that it’s the cost issues, the public money, and we’re really not autonomous anyway, if you look at the statutes.

[ICPL 2008] Outsourcing E-Mail: Technology and Policy

Our panel on email went very well. I didn’t take complete notes, as I was on the panel, but here’s what I got: The panel started with John Calkins, Assistant General Counsel from Northwestern, where they’ve implemented Google for students. A good quote: “Free is just one point on a spectrum between they pay us … Continue reading “[ICPL 2008] Outsourcing E-Mail: Technology and Policy”

Our panel on email went very well. I didn’t take complete notes, as I was on the panel, but here’s what I got:

The panel started with John Calkins, Assistant General Counsel from Northwestern, where they’ve implemented Google for students. A good quote: “Free is just one point on a spectrum between they pay us to we pay them.”

For FERPA they’re thinking that student email residing in a student account is not a record maintained by the University, and therefore would not be covered by FERPA. They also got Google to agree that any record that would be subject to FERPA at the university would be treated as such by Google. They hear that Google is not necessarily willing to agree to that now.

By and large their view is that the arrangement is between Google and the individual student (or alum), not between the university and the student.

90% of their recent graduating class elected to keep their google account with advertising as alumni.

Asbed Bedrossian from USC, which has also implemented Google for students, talked next. Another good quote: “We in the IT department are the transmission fluid in making things run smoothly.”

They use Shibboleth for allowing people to sign in to Google applications on the web with their USC NetID and password. They give people a different password for use if they want to use a non-web IMAP client to access email. (I need to ask Asbed about what they use for Google Talk access with non-web clients).

66% of people who create accounts forward their USC email address to Google. His theory on the rest is that they just want to use the other collaboration apps.

They haven’t had a lot of support issues, but people did start calling their help desk during the recent Google outage.

They use ga.usc.edu for their third level domain name.

They’re not migrating mail from existing USC accounts to Google – that turned out to not be a big deal to students at all and they’ve only had a couple of requests for it.

Another good quote: “Doing things is easy – thinking is hard.”

My slides from my part of the panel are here.

[ICPL 2008] Gigi Sohn from Public Knowledge

Gigi Sohn from Public Knowledge was our after-dinner speaker. Gigi talked about the file-sharing provisions in the recently passed Higher Education Reauthorization Act and how the work that the higher-ed community did last year to get those provisions struck from the original bill language didn’t hold up when the language reappeared in a subsequent version. … Continue reading “[ICPL 2008] Gigi Sohn from Public Knowledge”

Gigi Sohn from Public Knowledge was our after-dinner speaker. Gigi talked about the file-sharing provisions in the recently passed Higher Education Reauthorization Act and how the work that the higher-ed community did last year to get those provisions struck from the original bill language didn’t hold up when the language reappeared in a subsequent version. She contrasted that with the success of the copyright-reform community in getting the FCC to censure Comcast for interfering with the use of BitTorrent by their customers.

Gigi noted several differences in the two efforts and came up with some recommendations for future efforts in organizing activity around legislative policy efforts, including keeping constant pressure on telling the story to mainstream media, mobilizing the grass roots, enlisting allies from the commercial sector, and more (wish I had had a note pad with me at dinner).

Gigi also proposed forming a task force of university presidents to work on national IT policy issues for higher education. Sounds like a very timely idea to me. It was a great talk that left me energized about poliy issues for the first time in a long while.

[ICPL 2008] Self-Snooping – monitoring your networks

H. Morrow Long is an Info security guy from Yale. Have decided not to scan for sensitive data on the network, but do scan for computers looking for sensitive info. Had two major data incidents. Had a large federal contracts investigation, and one large data breach. Now scan administrative desktops, and require all faculty and … Continue reading “[ICPL 2008] Self-Snooping – monitoring your networks”

H. Morrow Long is an Info security guy from Yale.

Have decided not to scan for sensitive data on the network, but do scan for computers looking for sensitive info.

Had two major data incidents.

Had a large federal contracts investigation, and one large data breach.

Now scan administrative desktops, and require all faculty and staff to scan data on their machines, including laptops. Using IdentityFinder on WIndows, and some open source stuff on MacOS and Linux. Have evaluated several enterprise products: Tablus, Vontu.

Spent first half of 2006 doing data breach planning, which led them to realize that they had to have a data classification program. They have an agreement with the Yale Police to report to them every stolen laptop – started to see more stolen laptops. In beginning of 2007 began a program to do PGP whole disk encryption. In July of 2007 two laptops stolen from Dean’s Office – they had backups, which they scanned for sensitive data (Cornell Spider, Texas SENF program, Va Tech’s

python program). They found 5,000 SSNs on each PC’s backup.

“The plan is fine until the shooting starts” – Patton.

Once you know what’s been lost, then you have to act on it. Criteria for scanning compromised computers – reasonable belief that data may have been exposed – evidence that somebody was on the computer for a length of time, or there’s evidence of data transfer, or if there’s belief that there may have been confidential data on the machine – don’t do scans for every time there’s a virus.

Yale complted an SSN elimination project in 2005 – so why were SSN’s on those stolen machines? Course and student lists in email and spreadsheets which were old and not needed. Discovered that almost everybody had at least one SSN on their machine – their own.

Thief stayed behind in office – stole two laptops. Police caught him the next night, but didn’t recover the laptops. Computers were likely stolen for quick sale, not data. Laptops had BIOS and OS passwords, and 1 had disk interlock password. But Connecticut law requires notification. Learned later that notification is really only required if there’s a name associated with the SSN.

Set up a call center for help, staffed by people in the Dean’s office. Crafted a communications plan, with several letters targeted at different people. Immediately encrypted all the laptops in the Dean’s Office iwth PGP Whole Disk Encryption.

One alum claimed ID theft and contacted the AG and the media. THe AG wanted to know why Yale did not offer credit protection plan. Hired ID Analytics to check the SSN #s for probability of compromise.

They created tools for scanning (Windows only at first), and got the General Counsel to send out letters to specified staff lettint them know that their machines were going to be scanned. Getting users to remediate data is the hard part – confusion, false positives, etc.

Policy for files with SSNs: 1. Remove 2. Move 3. De-identify 4. Encrypt

They use their training management system to record whether people have completed and remediated from their scans.

David Escalanted – Director of Security, Boston College

March 2005 – major data breach that required 100k + letters to alumni.

Realized that users don’t seem to mind people looking at their email for viruses and spam, so should be able to scan for PII. They also started collecting netflow data and Snort IDS. PII finder (Fidelis) “catches stupid people”, not hackers. They didn’t notify the community that they’re running these tools – if it’s legit to look for bad stuff coming in, they figure it’s legit to look for it going out. What happens to offenders? For PII, a VP or Dean is frequently involved.

When the White House invited the hockey team to visit, they wanted a list of all the visitors with their SSN #s. Emailed. They caught that going over the wire.

Encryption kills scanning on the wire.

Shirley Payne is the Directory of IT Security and Policy at the University of Virginia

Considerations for general policy decisions: Consistency with existing policies and norms (especially the physical world ones); compliance with or in consideration of laws.

UVa is sort of the opposite of BU: Not generally monitoring content, blocking websites, or scanning devices without permission. There are, of course some exceptions, like traffic monitoring for virus/worms signatures, etc.

Institute for Computer Policy and Law

I’m here in beautiful Ithaca (not kidding) for the Institute for Computer Policy and Law, where I’m speaking later today. Steve Worona is introducing the Institute. There’s going to be a role play tomorrow where participants are asked to play either an entertainment industry exec, a campus CIO, or a student. The attendees are mostly … Continue reading “Institute for Computer Policy and Law”

I’m here in beautiful Ithaca (not kidding) for the Institute for Computer Policy and Law, where I’m speaking later today. Steve Worona is introducing the Institute. There’s going to be a role play tomorrow where participants are asked to play either an entertainment industry exec, a campus CIO, or a student.

The attendees are mostly either campus attorneys or IT policy people. During introductions people are being aked to name the biggest IT policy issue at their institution – many are talking about having consistently enforced policies and many are mentioning data management policies.