The IT department of Ohio University (OIT) is introducing a new practice, the so called "network registration requirement," which can only be called a step toward total user surveillance. The text on the OIT website (http://www.ohio.edu/oit/netreg/) reads as follows:
"Ohio University requires that all devices connected to the University wired or wireless network be registered. Students will need to register their devices once per academic term. Faculty and staff will need to register their devices annually. Registered devices will be subject to periodic security scans to identify OS vulnerabilities, virus infections, and other potential security risks."
This new practice will not only apply to OU-owned computers and devices, but also to privately owned ones if and as soon they are connected to the OU system. The "security scan" gives OIT full access to the scanned computer or device.
This "network registration requirement" is in fact the forcible implementation of the earlier "audit scan," which was introduced last spring – first as a voluntary service and then as a mandatory practice. However the "audit scan" only applied to OU-owned computers, and it also encountered some resistance by OU faculty and staff, which is why its implementation has not been successful.
The "network registration requirement" is a far-reaching, highly intrusive surveillance system that is (a) completely unwarranted; (b) not anywhere justified by OIT (they only declare its existence but don't even try to give any specific reasons for it), nor by any existing OU policy; and (c) a stealth intrusion into anybody's and everybody's electronic devices, no matter whether they are OU property or privately owned.
We should all be asking and be concerned about the following questions:
1. Since when and how exactly does "OU require" this registration? Is there a policy about this? Has there been any input from Faculty Senate or related committees on this issue?
2. What warrants these full-blown "security scans" of EVERY registered computer/device? Shouldn't there be some principle of proportionality in place that balances intrusive scans against potential threats? Did OIT conduct any sort of cost/benefit analysis that would justify such blanket surveillance?
3. How is it even possible that such a far-reaching, systematic and intrusive surveillance action is not only applied to OU-owned computers/devices but also to privately owned ones? (It is one thing to require users to register their devices; it is another one to use that as an opportunity to arbitrarily invade their devices!)
4. What measures, if at all, are in place to prevent abuse? These "security scans" open up computers and other electronic devices to abuse and exploitation. This abuse can range from an IT employee's accidental receipt of private information about somebody that may lead to a conflict of interest at a later point, to a situation where an IT person could actively pull data from or manipulate data remotely on a faculty or staff member's computer. Indeed, what keeps a dishonest IT person from manipulating or stealing data, including things like credit card and online banking information from a private computer?
5. What are the implementation and annual costs of this system? In times of scarcity and cuts of faculty and staff positions, is this really the area we want OU to invest money in?
6. Given that all recent IT problems at OU with regard to security breaches had to do with deficiencies of the IT department and their individual employees (e.g. having hard drives with sensitive data stolen from a car), but were NOT caused by the many users of the OU system, it is mystifying why the IT department seems to be putting all its energy on surveilling OU users. Is there any explanation for this?
I am seriously distressed and dismayed by these new surveillance activities. This is the kind of overreaching practice that we would quickly (and rightfully so) criticize if it were to happen in a dictatorial nation.