UO provides safe space for anonymous comments about IT reorganization

8/27/2016: 

For years the UO administration has harassed me over this blog’s policy of honoring Ben Franklin’s Silence Dogood’s precedent of anonymous criticism. But our new leadership is actually encouraging people to submit comments to the Blustain report on IT reorganization anonymously.

However, while the New-England Courant put Ms Dogood’s letters and responses out there for everyone to see, two-hundred and ninety-four years later that is still a bit too revolutionary for the University of Oregon. The comments you submit will only be seen by authorized persons. So if you do use their google form, you might consider also pasting your ideas into the comments anonymously here too, so that your colleagues can see them and respond. I’ll pass it all on to the House of Lords.

Official release of the Blustain report here:

Screen Shot 2016-08-27 at 11.28.09 PM

More, and anonymous reporting form here:

Screen Shot 2016-08-27 at 11.29.06 PM

8/12/2016: Blustain’s comments on “The Oregon Way” leak out:

Back in 2011, former VPFA Frances Dyke paid consultants from Huron  $1.789M to write a report on the VPR’s office that included this definition of “The Oregon Way”:

Continue reading

Stony Brook hires Melissa Woo as CIO

2/25/2016 update: Stony Brook hires Melissa Woo as CIO. Thanks to an anonymous volunteer for the news:

Screen Shot 2016-02-25 at 12.18.17 PM

CIO Melissa Woo leaves UO:

From: Melissa Woo <mwoo@uoregon.edu>
Date: February 15, 2016 at 9:58:31 AM PST
To: “is-staff@lists.uoregon.edu” <is-staff@lists.uoregon.edu>
Subject: is-staff: Important news

To my IS colleagues,

After a great deal of consideration, I’m departing the university to pursue other professional opportunities, effective today.

I’m proud of the progress we’ve made since I arrived in 2012, and your commitment and hard work are the primary reasons we have seen so much progress. You work early in the morning and late after 5pm, and some of you wake up in the middle of the night to restore services when the unexpected occurs. I appreciate your dedication, and I appreciate your willingness to change even when that change hasn’t been comfortable.

You’ve made great progress in implementing IT service management using ITIL in order to improve coordination, communication, and service delivery to campus. I hope that you will continue to expand and improve upon ITIL processes in order to best serve the university’s needs.

I am confident that the IS Leadership Team is more than capable of leading during this transition. They have been working together extremely well as a team, and each is an excellent leader in their own right.

In closing, I’ve enjoyed working with each and every one of you. You’re a very talented (and fun!) group of IT professionals, and I will miss you greatly.

All the best,

Melissa

Bowl of Dicks trial reveals UOPD’s casual spying on employees

10/8/2015: This is from the trial transcripts, which I’m slowly getting through:

Screen Shot 2015-10-08 at 7.29.18 PM

8/4/2015: UO administrator accessed employee email account without notice

Here’s the description of recent events, from an anonymous correspondent:

Administrators Are Permitted to Monitor Emails without Notice or Authorization

Consider the following scenario: Alice,* a staff member with a disability, has been ordered by her doctors to utilize her federally protected leave in order to recover from symptoms emerging from a potentially hostile work environment. Alice has been in contact with the Union, who are investigating the climate at her department for possible discrimination.

While Alice is away in recovery, Bob,* her supervisor and a department administrator, somehow acquires full access to all of Alice’s emails. Bob does not notify Alice that he intends to access her information, nor does he seek authorization from Information Security, General Counsel, or the Union. Rather, Bob simply unilaterally seizes full, unsupervised, and ongoing access to the entirety of Alice’s email account, including her correspondences with the Union.

Such an obvious conflict of interest and invasion of privacy would seem ludicrous if it wasn’t for the fact that it recently occurred at the University of Oregon.

As soon as this data breach came to light, the Union contacted UO’s Chief of Information Security Officer (CISO) to clarify what exactly the criteria were for an administrator gaining access to an employee’s email. The CISO responded that the UO does not offer “wholesale access to another employee’s email.” There would have to be a “specific request” driven by a “business need” and submitted through the proper channels. If such criteria are met, then Information Security will attempt to provide the specific information, and only that information, which was requested. The CISO continued, “The only time we would give over all email would be in the case of a subpoena or other legal request.”

Under such criteria, Bob had obviously violated university policy by accessing and monitoring all of Alice’s emails during her absence from the office. The Union reported the data breach immediately, in conformity with the newly minted executive policy on Data Security Incidence Response.

A few weeks later, the Union inquired with the Director of Employee & Labor Relations (DLR) at Human Resources to inquire after the progress of the investigation. What a difference a few weeks can make! The DLR responded that there had been no violation of policy, because UO in fact has no policy at all restricting administrator access to an employee’s email.

The Union reached out again to the CISO to clarify. The CISO responded that he believed that the situation was handled poorly, and that he did not believe that Bob was “philosophically” justified in accessing Alice’s data. Unfortunately, he admitted, there are no “specific policies” in place at UO at present to prevent, discourage, or reprimand an administrator who unilaterally decides that they have a “business need” to access and monitor an employee’s personal data without their prior knowledge or consent.

The CISO seemed as disturbed by this state of affairs as the Union, noting that it “raises a need for a procedure to be put in place regarding access to an employee’s email account” and that he “intend(s) to write up a procedure for situations like this” which will “hopefully alleviate situations like this in the future by providing a standard process.”

The Union applauds the CISO’s pledge to put policies in place that will provide the necessary checks and balances to reign in administrators who feel justified in violating their employee’s privacy at will.

The response at HR has been less encouraging however. As of this writing, the DLR has chosen to fully back management in this matter. Amazingly, rather than stand up for the rights of one of the most vulnerable members of the UO community in a case of discrimination, harassment, and gross invasion of privacy, HR has chosen instead to escalate the harassment by pursuing disciplinary action against Alice on behalf of Bob.

And as of this writing, Bob still retains full access to Alice’s email.

So, until the new policies are in place, be careful what you write and who you write it to.

* All names have been changed.

It’s more than two years since I started the thread below, trying to find out UO’s policy for email monitoring and access. Page down for the entire history. Obviously there are situations when supervisors need access to an employee’s email, e.g. a public records request or a court order, an emergency illness or death, etc. On the other hand there are situations where that access would be very problematic, e.g. like that above, or when an employee has a complaint about the supervisor, or has used UO email to contact a doctor or counselor or lawyer, etc. So most universities have a sensible policy along the lines of UC’s, here:

An electronic communications holder’s consent shall be obtained by the
University prior to any access for the purpose of examination or disclosure of the
contents of University electronic communications records in the holder’s
possession, except as provided for below. …

1. Authorization. Except in emergency circumstances (as defined in Appendix
A, Definitions) in accordance with Section IV.B.2, Emergency
Circumstances, or except for subpoenas or search warrants in accordance with
Section IV.B.6, Search Warrants and Subpoenas, such actions must be
authorized in advance and in writing by the responsible campus Vice
Chancellor or, for the Office of the President, the Senior Vice President,
Business and Finance (see Section II.D, Responsibilities).1
This authority may not be further redelegated. Authorization shall be limited to the least perusal of contents and the least action necessary to resolve the situation.  …

3. Notification. The responsible authority or designee shall at the earliest
opportunity that is lawful and consistent with other University policy notify
the affected individual of the action(s) taken and the reasons for the action(s)
taken.

Each campus will issue in a manner consistent with law an annual report
summarizing instances of authorized or emergency nonconsensual access
pursuant to the provisions of this Section IV.B, Access Without Consent,
without revealing personally identifiable data.

UO’s policy is here. It’s not as cogent, but it also seems to ban the sort of blanket access that is described above. And UO IT also passes on the following helpful advice, here:

  • Never share your password with anyone.  This includes your supervisor, co-workers, and IT staff.
  • There may be some destinations (such as China, Russia, and other areas overseas) where it may be difficult or impossible to prevent your computer from being attacked and electronically compromised.

China and Russia indeed.

8/2/2013: UO has no policies limiting which administrators can read your email or monitor your web use, or why. From Dave Hubin’s PRO:

Continue reading

Return to sender, that address unknown

6/21/2013: UO’s email servers have been blacklisted because someone was sending spam. As usual, The King has the best explanation of the technical details, or see http://pages.uoregon.edu/status/reports.cgi for the layman’s version, which says you should have got a bounce message if any messages you sent were “returned to sender”. Apparently you can do a work around by using your regular email program and setting gmail as your outgoing server. This has been going on for a week or so, I don’t understand why they didn’t send out an email notifying people and telling them how to fix it.

Randy Geller would never do this,

would he? NYT:

Harvard secretly searched the e-mail accounts of several of its staff members last fall, looking for the source of news media leaks about its recent cheating scandal, but did not tell them about the searches for several months, people briefed on the matter said on Saturday.

Under state law he can. Thanks to a fellow paranoid for the tip. 3/10/2013.