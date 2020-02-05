In Purdue University president Mitch Daniel’s 2018 Washington Post opinion piece, he asked, “Isn’t technology wonderful? Forget that old ominous line, ‘We know where you live.’ These days, it’s, ‘We know where you are.’”

The question of online privacy and security has generated feelings of uncertainty in the face of the potential for surveillance overreach.

At colleges and universities across the United States, there has been an uptick in interests surrounding student data collection throughout the last several years, leading to the question of where exactly Penn State stands on some of those issues — specifically regarding its WiFi tracking policies and data collection.

“The university does log network activity for user accountability and network availability, as well as for troubleshooting and threat detection. These logs include the access point locations where users connect,” Bill Wrobleski, Penn State associate vice president for infrastructure, said in a statement. “A side effect of these logs is that they can be used to determine the general location – within about 3,000 square feet – of a user or asset connected to the Wi-Fi. By policy, this data is maintained for one year, and can be subpoenaed by law enforcement.”

For Cole Daubenspeck, team captain of the Penn State chapter of Collegiate Penetration Testing Competition (CPTC ), it is necessary to remember that information technology (IT) teams “should be collecting logs from the devices under their control.”

He said the real question data owners have to ask is, “Do these benefits provided justify the cost of sacrificing students’ privacy?”

Daubenspeck (junior-cybersecurity analytics and operations) emphasized the fact that the data collection methods Wrobleski mentioned, including the “side effect” of logging location data, have the benefit of giving IT teams the ability “to detect threats and respond appropriately.”

He noted that with this side effect, “if combined with the location data from a different access point, you can triangulate someone’s position much more accurately — the same way the police may triangulate a phone connected to cell towers.”

However, Daubenspeck maintained the ethical question of data collection is different in the case of on-campus student location tracking, claiming, “every individual should have the right to privacy where they live."

“In my experience, Penn State IT certainly considers the privacy impacts their decisions have on students and values students’ right to privacy,” Daubenspeck said via email. “I’m not implying that Penn State is disregarding students’ privacy concerns or behaving in an unethical manner. Regardless, this doesn’t mean their decisions shouldn’t be free from scrutiny. Penn State should be transparent as to why they are making the decisions that they are.”

Penn State information sciences and technology professor Daniel Susser continued on this line of nuance — he said it is not merely enough to consider knowledge of WiFi tracking or the practice data collection a binary of good and bad.

“It always depends on the specific case. I think we have to look at the details quite carefully,” Susser said. “The thing that worries me about how these tools are being rolled out right now is not that they’re being rolled out but that by and large, we’re only finding out that they’re being deployed after the fact and most of the people who are going to be affected by them are not being consulted in the process of designing and deploying them.”

Daubenspeck said he thinks if the system is constantly tracking people, collecting unnecessary data and selling it to third-party vendors, it could be intrusive.

“I would have large concerns about how my personal data would be handled,” Daubenspeck said. “One of my classes used Arkaive , which certainly fits my description of an overly intrusive system. Why do they need my personal information, including my name, address and contact information just to check me into class?”

Moreover, the rising suspicions toward institutions that log needless data in the first place seem to be accompanied by widespread feelings of uncertainty as to how one may broach and eventually overcome these issues, if at all.

Susser argued that the American model for regulating data and information privacy is “individual-centric.” He placed the responsibility of remediating and accounting for data collection squarely on users or owners of that data, a model which has been shown by privacy scholars to simply be ineffective on a large scale, according to Susser.

Susser said people are pushing for regulation that takes some of those responsibilities and burden off of the individuals and puts it on data collectors.

“Right now, our law and policy doesn’t do that, but there’s certainly movement and agitation to create new laws that do that — people don’t feel capable, they don’t feel like they have the power to actually make meaningful decisions about information flows about them and they’re probably right,” he said.

Susser said for students who wish to take personal action, they can visit the Electronic Frontier Foundation or the Center for Democracy and Technology in order to make use of all the resources at their fingertips.

However, it’s important to recognize that password managers and two-factor authentication “are only going to get you so far.”

“I think what individuals need to do and what students need to do on campus is publicly and collectively demand accountability and transparency from administrators so that they can learn what kinds of systems are being developed, how they’re being developed, who owns them, what data is being collected and so on,” Susser said. “So they can ensure that those systems are serving them.”