Graduate Students Analyze, Crack, and Remove Under-Desk Surveillance Devices
Early in October, Senior Vice Provost David Luzzi installed motion sensors under all the desks at the school's Interdisciplinary Science & Engineering Complex (ISEC), a facility used by graduate students and home to the "Cybersecurity and Privacy Institute" which studies surveillance. These sensors were installed at night — without student knowledge or consent — and when pressed for an explanation, students were told this was part of a study on "desk usage," according to a blog post by Max von Hippel, a Privacy Institute PhD candidate who wrote about the situation for the Tech Workers Coalition's newsletter....von Hippel notes that many members of the computer science department were also in a union, and thus networked together for a quick mass response. Motherboard writes that the controversy ultimately culminated with another listening session in which Luzzi "struggles to quell concerns that the study is invasive, poorly planned, costly, and likely unethical."
Students began to raise concerns about the sensors, and an email was sent out by Luzzi attempting to address issues raised by students.... Luzzi wrote, the university had deployed "a Spaceti occupancy monitoring system" that would use heat sensors at groin level to "aggregate data by subzones to generate when a desk is occupied or not." Luzzi added that the data would be anonymized, aggregated to look at "themes" and not individual time at assigned desks, not be used in evaluations, and not shared with any supervisors of the students. Following that email, an impromptu listening session was held in the ISEC. At this first listening session, Luzzi asked that grad student attendees "trust the university since you trust them to give you a degree...."
After that, the students at the Privacy Institute, which specialize in studying surveillance and reversing its harm, started removing the sensors, hacking into them, and working on an open source guide so other students could do the same. Luzzi had claimed the devices were secure and the data encrypted, but Privacy Institute students learned they were relatively insecure and unencrypted.... After hacking the devices, students wrote an open letter to Luzzi and university president Joseph E. Aoun asking for the sensors to be removed because they were intimidating, part of a poorly conceived study, and deployed without IRB approval even though human subjects were at the center of the so-called study.
"Afterwards, von Hippel took to Twitter and shares what becomes a semi-viral thread documenting the entire timeline of events from the secret installation of the sensors to the listening session occurring that day. Hours later, the sensors are removed..."
Re:David Luzzi must be fired.
spying on students who give the university money
Most graduate students don't give money to the university. They receive money from the university. They are employees, not customers.
This is incorrect. Looking at federal loans, the average amount of debt for undergraduate and graduate loans is almost the same. Some graduate students at some schools get free tuition and some don't.
then lying about it
The proffered explanation, while stupid and unethical, is most likely true.
The proffered explanation and the students' claims are not necessarily exclusive. Just because there was some thought given to an academic, anonymized study does not preclude misused of the data.
These aren't concerns, concerns are a potential.
This "study" WAS terrible, unethical, and a waste of money. In fact I'm doubtful there ever was a study at all and imho this was most likely either some kind of quid pro quo for the spyware company or an attempt at further normalizing orwellian surveillance state behavior.
STOP! Just stop, please...
After that, the students at the Privacy Institute, which specialize in studying surveillance and reversing its harm, started removing the sensors, hacking into them, and working on an open source guide so other students could do the same. Luzzi had claimed the devices were secure and the data encrypted, but Privacy Institute students learned they were relatively insecure and unencrypted....
For goodness sake, these devices don't have cameras or microphones, it's a "person detector", it tracks when there is or is not a body at the desk. Why in the world would this need to be "encrypted"? What elaborate "security" is needed?
If the devices are on a network, they have a unique ID (MAC address, for example), but beyond that, they are tracking a Binary phenomenon, either there is or is not a body at the desk. If you don't match the unique ID of each sensor to a particular desk, there's plenty of security.
Please, explain the harm of an automated sensor that does exactly the same thing any person walking through the room would observe - detect if someone is at a particular desk.
Re: STOP! Just stop, please...
Please, explain the harm of an automated sensor that does exactly the same thing any person walking through the room would observe - detect if someone is at a particular desk.
According to TFA, desks are assigned to individuals. So this is 24/7 monitoring if you at your workstation. When did you arrive? How many time did you step away from your desk? For how long?
Sure, someone walking by could do a headcount, but they probably aren't writing it down, and certainly aren't there 24/7.
David Luzzi must be fired.