Against Surveillance in the Name of Security

  • 6 min read

AAUP Boulder encourages CU Boulder faculty, staff, and students to sign this petition as an individual. Organizations can email aaupcub@proton.me to endorse.

CU Boulder's Office of Information Technology (OIT) has mandated that all university-owned devices comply with the Secure Computing Standard for Computers (SCSC). The SCSC was drafted without collaboration with faculty and fails to adequately accommodate curricular, research, and scholarly activities that Regent Law 5.A grants faculty principal authority over.

Moreover, aspects of the SCSC amount to invasive surveillance that pose grave threats to the Regent Law 5.B right to academic freedom and to the First Amendment and labor rights of faculty, staff, and students. Specifically, the SCSC requires running Endpoint Detection and Response (EDR) software, namely Microsoft Defender for Endpoint, which is privileged software that records file and process metadata, full URLs (which not only identify specific articles, but may include search terms, tracking information, and interactions), and even contents of files deemed suspicious. These records are far more invasive than library records, yet lack clear protections under Colorado state law and the First Amendment. These data are continually transmitted to Microsoft servers where they are searchable system-wide for months and may be included in "rapid bilateral and multilateral" sharing with the federal Cybersecurity and Infrastructure Security Agency (CISA) under the Joint Cyber Defense Collaborative, of which Microsoft is a founding member. With Executive Order 14243 "authorizing and facilitating [...] inter-agency sharing" and hundreds of CISA employees reportedly reassigned to ICE, we cannot trust that such records would only be used to respond to coordinated cyber threats. It is unclear whether such records would be subject to open records requests, but university employees cannot have confidence that they will never be obtained by warrantless means including congressional subpoena, government request, or hacking.

Higher education and academic freedom are under attack, with coercive measures and revived tactics of McCarthyism and the House Unamerican Activities Committee (HUAC). Protecting the University of Colorado mission of "high-quality education and professional training, public service, advancing research and knowledge, and state-of-the-art health care" requires protecting faculty, staff, and students from targeted harassment, chilling effects, and denial of due process via pretextual allegations and coercive measures applied to administrators. Alarmingly, the University of California recently gave lists of hundreds of faculty, staff, and students to the federal government without due process or even disclosing the allegations. The SCSC inadvertently generates vast amounts of data for pretextual investigations.

The requirement of a "compelling business reason" for exceptions to the SCSC infringes the Regent Law 5.B right to academic freedom by requiring that administrators (the Provost and Chief Operating Officer) approve of research and education that may challenge power structures. Not only does this compromise the ability to carry out such activities, but it inappropriately links administrators to decisions that faculty must have autonomy over. Additionally, faculty activities such as external service involve agreements to which the university is not a party and has no right to access associated data. In some cases, such as law clinics, disclosure of data as a side-effect of SCSC mandates could jeopardize professional licensing. Privacy concerns extend beyond academic freedom and apply to all job categories including staff, with the 2022 NLRB memo GC 23-02 assessing that pervasive digital surveillance violates labor law.

The University of California system's Academic Council passed a resolution in June expressing concerns about similar mandates and calling for postponement and revision of their security mandate. Their open letter has received over 1500 signatures from UC faculty. OIT has pointed at the UC system as a model despite its ongoing infringement of academic freedom. We are especially concerned that the UC system has threatened personal financial penalties on unit heads and has used technical measures to require compliant devices for essential job functions including use of Canvas, Docusign, and their analog of myCUinfo, which also threatens student privacy on personally-owned devices. We point to the University of Washington as an example of a peer university with a robust record of defending academic freedom (including when faced with targeted harassment via congressional subpoena) that has chosen not to implement privacy-infringing mandates like EDR. We also note that European universities successfully defend against cyber threats while operating under privacy laws that prohibit many aspects of the SCSC.

Whereas the mission of the University of Colorado cannot be faithfully executed without robust protection of academic freedom under Regent Law 5.B;

Whereas security practices must be chosen to protect academic freedom;

Whereas such security practices have been chosen by domestic and international peer universities;

Whereas the Boulder Faculty Assembly Working Group on IT Security Standards found that the SCSC poses grave threats to academic freedom, including impact on pedagogy, curriculum, research, and other matters that faculty have principal responsibility for under Regent Law 5.A.1;

Whereas the greatest damage to higher education by the House Unamerican Activities Committee was voluntarily self-inflicted by universities against their own faculty;

We the undersigned faculty, staff, and students of the University of Colorado Boulder call for administration to

  • establish a restorative dialog between OIT leadership, campus leadership, and faculty, facilitated by experts in academic freedom and the law to build mutual trust and develop a plan for robust collaboration on IT policies that affect academic freedom and matters of shared governance pursuant to Regent Law 5.A.1;
  • update OIT's threat model and responsibilities to include threats to academic freedom via digital means;
  • establish a data use and disclosure policy for all data and metadata collected by mandated and recommended software, including clarification of legal action that CU will take to protect such data, opportunity for faculty to advise or litigate, and liability if disclosure of such data results in harm to faculty, staff, students, or human subjects; and
  • give full consideration to the recommendations of the BFA Working Group on IT Security Standards Preliminary Report.