NNSquad - Network Neutrality Squad

NNSquad Home Page

NNSquad Mailing List Information

 


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ NNSquad ] MIT monitoring campus network traffic


----- Forwarded message from David Farber <dave@farber.net> -----

Date: Fri, 17 Apr 2009 15:02:25 -0400
From: David Farber <dave@farber.net>
Subject: [IP] MIT monitoring campus network traffic
Reply-To: dave@farber.net
To: ip <ip@v2.listbox.com>



Begin forwarded message:

From: Rebecca Jeschke <rebecca@eff.org>
Date: April 17, 2009 2:25:42 PM EDT
To: EFF Privacy <eff-priv@eff.org>
Subject: [E-PRV] MIT monitoring campus network traffic

http://tech.mit.edu/V129/N20/networkmonitoring.html
For Years, IS&T Has Monitored Network Data Without Policy
By Quentin Smith
STAFF REPORTER
April 17, 2009
Since 1999, Information Services and Technology has been collecting  
information about campus network traffic without an official policy  
governing how it may use or store the data.

Currently, IS&T monitors all network connections within campus,  
originating from campus or destined for campus, and makes a record of who 
connected to whom.

For instance, the logs would be able to show that a student visited a  
particular website at a particular time, but not what the website  
contained.

According to Timothy J. McGovern, Manager of I/T Security Support, this 
information is only stored for three days, though there is no official 
policy.

IS&T also monitors raw data going from and to MIT, which is scanned for 
anomalous patterns. Though it is possible for someone to look at the raw 
data, McGovern said that nobody does. Any suspicious activity is logged for 
no more than 30 days, McGovern said.

McGovern emphasized that no one outside of IS&T has access to the raw data 
or logs.

IS&T does not publicize any of these practices on its website.

Undergraduate Association President Noah S. Jessop ’09 said he was  
surprised that IS&T was collecting this information without notice. “It is 
not the kind of thing I would expect from MIT, and it is definitely not the 
kind of thing that I would expect to hear long after the fact.”

Data and connections being recorded

IS&T collects information on network activity in order to investigate  
compromised machines, which are machines that have been hacked or have a 
virus or worm. All connections are monitored, not only in academic  
buildings but also in dorms and FSILGs.

When I/T Security Support detects a compromised machine, they typically 
confirm that the machine is affected and then contact the machine’s owner 
to inform them of the compromise.

IS&T collects information about every connection on campus, and keeps it 
for three days. The logs include the connection’s source address and port, 
destination address and port, start timestamp, end timestamp, and the 
amount of data transferred over the connection. The logs don’t include any 
of the raw data that is transferred. McGovern said that the connection 
information is only stored for 3 days, and described that time as the 
“current operating policy.”

IS&T also scans a portion of all raw data that passes in and out of  
campus. The data is fed into an intrusion detection system that flags  
suspicious activity. McGovern said the raw data is not stored. Mike  
Halsall, information and network security analyst, said that the logs of 
suspicious activity are not kept for more than 30 days.

For both the connection logs and the suspicious activity logs, only two 
people have access: Halsall and Tom N. Jagatic, senior IT security  
consultant, both of whom work for IS&T. Jeffrey I. Schiller ’79, MIT  
Network Manager, confirmed that this data is being generated and it is  
only being sent to the I/T Security Support team. Schiller and McGovern 
both said that they have never seen a subpoena for these logs.

MIT has briefly stopped monitoring in the past. In 2004, as IS&T was  
undergoing reorganization, the raw data feed was shut off, which prompted 
complaints. According to McGovern, the port was turned back on when staff 
contacted Jerry Grochow ’68, the Vice President of Information Services and 
Technology, saying that “being able to detect and recover compromised 
machines was a good thing,” and Grochow directed that the port be turned 
on.

No Official Policy

Officially, IS&T collects DHCP logs, which are used to link people’s  
computers to their online addresses. These logs are what are typically  
subpoenaed when the RIAA or MPAA is pursuing an alleged copyright  
infringement case. The policy regarding DHCP logs is published on the IS&T 
website.

In contrast, IS&T does not appear to have any policy covering the  
retention and use of connection or security logs.

Professor Harold Abelson, who teaches 6.805 “Ethics and the Law on the  
Electronic Frontier,” found it troubling that these logs were being  
collected without public knowledge. “It’s a violation of fair information 
practices to be keeping logs that people don’t know about … If they’re 
collecting logs, they have to inform people that it’s there. If they’re 
collecting logs, there has to be a policy on how those logs are used or not 
used.”

Abelson also said that because these logs could involve student  
information, having a policy is especially important. He said that a  
policy would probably need input from the Council on Educational  
Technology.

About the logs, Jessop said “It’s egregious to implement measures on the 
network that could be used to circumvent user privacy without both  
policies and procedures in place and some means for the users to  
understand what the implications to them might be,” Jessop said.

“If you told me this was Comcast, I wouldn’t have been quite as  
surprised,” he said.




-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com

----- End forwarded message -----