Lab Blog

In the works

September 11, 2016


On the academic big brother

I usually receive emails from the UC bureaucracy on a daily basis, and most of the time I can easily enough ignore them. However, a couple of months ago there was an email that was different from the usual meeting announcements, new hires for whatever dean position or news-stories that highlight of UC faculty appearing in national and international newspapers/shows/journals.

This email came from UCSD Health Sciences Communications department(?) and instructed all faculty, staff, students and affiliates of UC San Diego Health Sciences and UC San Diego Health to
...have their smartphones and other mobile devices enrolled in an approved Mobile Device Management (MDM) solution in order to continue accessing UC San Diego email and calendar on the mobile device. This includes both University-purchased and personal smartphones and tablets...
It got on to say that
... During the installation process on the mobile device, a general warning is displayed that lists features that could [!] be enabled, depending on the deployment model used. Our deployment model will configure all devices as Personal Devices (BYOD), regardless of who purchased the device.
This means that our license does NOT give us the capability to collect or inspect any of your personal, banking, credit card, or location information, call history, voicemail, application data, photos, videos, web and search history, applications installed, or text (SMS) messages. Our MDM solution has been configured to collect and apply only what is necessary in order to ensure the security of information on the device. More specifically, it will be limited in scope to verifying that it meets minimum university security requirements (...) and regulating access to university health sciences applications such as and calendar...
In the event your device is stolen or compromised, MDM does have the capability of removing data stored in applications deployed through MDM, and of remotely wiping University data and applications, but not your personal data and applications.

We recognize that there are members of our organization who may never send or receive protected information such as protected health information (PHI) or personally identifiable information (PII), but it is impossible for us to distinguish who those people are or when a condition would change and expose sensitive data.
And herein lies the problem.
I do not for a second believe that UCSD is unable to distinguish 'who those people are'. Excuse me? You know very well who 'those people' are. These are your nurses, doctors, health specialists. These may also include scientists (non medical and medical) that have an approved IRB in place where personal data IS collected. Indeed the Institutional Review Board was established to safeguard exactly those information. (I would actually be rather concerned if UCSD Health Sciences would NOT know who has access to this kind of information.)
Hence, to subject ALL faculty, staff, students and affiliates to this is in my view WAY overboard.

Of course this should not have been a surprise, specifically with the UC’s history of covertly snooping in on faculty emails and website traffic, their inability to secure their own devices and computers, and with a former head of Homeland Security at the helm of the organization.
But sure. I will make my personal device MORE secure by installing this software...?

So what is it that UCSD Health Science Communications wants us to install?
It is called a Mobile Device Management. In this particular case from a company called Airwatch.
On the iTunes store, the Airwatch Agent app (Note 1: the app is aptly named 'agent'; Note 2: please also have a look at the reviews in iTunes!) showcases some of the features of the software:
  • Enforce security restrictions and encryption
  • Set up compliance rules and actions
  • Upload and manage corporate documents and videos
  • Capture detailed device information
  • Track devices through GPS device locating (Continued use of GPS running in the background can dramatically decrease battery life.)
  • Perform a device lock or wipe
  • etc...
While UCSD (for the moment) insists that some of the features listed ARE NOT enabled, who says that they may not be enabled at a later time-point, and without consent of the phone/tablet owner and/or without proper notification?

Moreover, installing this piece of software creates plenty of problems example 1, example 2, example 3. In addition, there are even detailed workarounds on how to make an enrolled jailbroken (android) device 'compliant'! Airwatch and softwares like it are not without controversy as detailed in articles here, here or here.

I grew up in a (former) country where an estimated 1 in 63 people snooped on the rest of the population for the STASI. This sensitizes me somewhat to the demands that UCSD Health Science Communications asks of me.
While I agree that there is a clear need to safeguard privacy and patient information, the blanket approach to install snooping software on devices of ALL affiliates is in my view one step too far!

So what would be a solution? Maybe UCSD should provide a work-related phone for all employees and affiliates that handle these sensitive information. Maybe only employees who access sensitive information through a UCSD deigned software/app should be required to have this software installed. What about an opt-out system that requires you to verify that you are not handling these data... I do not really know. But surely there is a better solution to the one we are now apparently forced to sign on to!

Share this blogpost  

Please remember the disclaimer.