Scitech  McGill net security, our digital Big Brother

Decoding the “black box” of computer surveillance

The email messages you’ve sent, the web sites you’ve visited, even the Facebook wall posts you’ve posted: any and all of your online activity is subject to surveillance by McGill’s information security group.

Any computer, computer network, or software under McGill University’s control is considered part of McGill Computing Facilities (MCF). Under the Code of Conduct for Users of McGill Computing Facilities, authorized McGill personnel may compromise user privacy while performing routine operations or responding to potential security threats and violations to the MCF code.

Under the code, users have a right to privacy, but that level of privacy does not exceed “reasonable expectations.” But the exact definition of “reasonable expectations” has yet to be defined. Last year, a former McGill student faced academic probation for altering a Wikipedia information page about a professor, while logged into McGill VPN.

Sylvia Franke, McGill’s Chief Information Officer, commented on network security operations in an email message to The Daily.

“We use a number of technologies to ensure secure networks – including a newly-implemented intrusion prevention system [and] audit trails on login information to support traceability,” Franke said.

The student, who must remain anonymous for fear of facing further punishment, has not had a unique experience. Staff members are also subject to the computer monitoring.

Jeremy Cooperstock, an associate professor in electrical and computer engineering, commented on the investigation of his and other staff’s personal computer files. “[Since] the administration does not disclose to the faculty that their files have been investigated, we have no idea how often it happens,” Cooperstock said. Frustrated at the lack of communication between the faculty and administration, Cooperstock maintains a blog of Senate meetings and other incidences of what he calls “a lack of honesty and blatant disregard for a general kind of ethical work practices.”

According to Franke, Information Security responds in “specific reported incidents or in cases where their further investigation is warranted due to potential threats exposed by our security technologies.” The Chief Information Office however, did not comment on how frequently these violations occurred or what specific situations constituted a “threat.”

The main question lies in how the administration is able to monitor computer activity.

Harrison Brundage, U0 computer engineering, and an online entrepreneur shed light on the black box of monitoring systems.

“McGill is essentially between us and the Internet; all our traffic goes through them and they could go through what we do if they want,” Brundage said.

Brundage explained that a computer network is a set of layered components that connect together for computers to communicate. One of these components is called an Internal Protocol (IP) address. These IP addresses are managed by a router, which is the central computer that manages Internet users’ messages and web destinations. In the case of McGill networks, this router is owned by McGill. The “central computer” assigns a specific IP address to identify each individual user, and another IP address identifies each web address visited.

The IP address gives a multitude of identifying information, including where the user was connected and at what time – even the specifics of the computer.

IP addresses, however, are not private information. Even Wikipedia has a system of tracking IP addresses to log inputs and prevent abuse. On the Wikipedia website, there is a public history view for all the additions and edits made to a specific article, identifying the IP address of the user who made the revision. This IP address log is common to a lot of websites like Facebook, and online forums that contain “dynamic content” – spaces where you can input information.

“Getting the IP address is easy. The difficult part is taking an IP address and getting a name from it,” Brundage said. Tracking a user may take considerable detective work under normal circumstances, but when you voluntarily sign into the McGill network or VPN using your McGill ID, there is little to deduce. With over 22,000 students at McGill though, the task of online surveillance seems daunting. To help, there are a multitude of computer programs that may be able to aggregate information about when a user accessed what web address, or downloaded a specific file.