The University of California, Berkeley, has become the first university in the United States to publish a set of transparency reports that detail government requests for student, faculty, and staff data.
In the tech world, transparency reporting has become an industry standard. After Edward Snowden leaked the names of companies assisting with government surveillance in 2013, businesses eager to earn back public trust began a race to let users know as much as possible about how their personal information is handled. When companies release a transparency report, it's always voluntary. In fact, the law actually limits what companies are allowed to disclose via a mix of gag orders and other burdensome restrictions.
Colleges aren’t exactly tech companies—but they aren’t so different, either. Like many higher-ed institutions, UC Berkeley essentially functions like an Internet service provider unto itself. It has more than 37,000 students, 77,000 active university email accounts, and the potential for upward of 100,000 devices connected to the network at any one time. Unsurprisingly, the school occasionally fields requests from law enforcement for data.
Universities are places where the exploration of new and often controversial topics should be encouraged. Sensitive data is studied and collected as part of research, students organize for political change, and people often seek care and share extremely private information online. Berkeley has long been explicit about the importance of digital privacy in campus life. In a recent report, its Privacy and Information Security Committee wrote:
Academic and intellectual freedoms are values of the academy that help further the mission of the University. These freedoms are most vibrant where individuals have autonomy: where their inquiry is free because it is given adequate space for experimentation and their ability to speak and participate in discourse within the academy is possible without intimidation. Privacy is a condition that makes living out these values possible.
According to its transparency report, UC Berkeley processes on average 39 requests from government, law-enforcement, or internal investigations a year. These are called “non-consensual” requests, meaning that data is searched whether or not the account holder consented to the investigation or has even been alerted. If you divide the 39 fulfilled requests for account data against the 77,000 active accounts at the university, you find that 0.0506 percent of accounts are affected by nonconsensual searches. That's not as low as it seems—Apple reports that 0.00571 percent of customers have been affected by government search.*
The transparency report also offers a glimpse into how the university processes these requests. Before information is released, the requester must fill out a form for review by the campus privacy office. Depending on the nature of the request, it might be vetted by the Academic Senate and university counsel before being granted or denied.
“We believe privacy begins at home, says William Allison, one of the brains behind the report and director of Berkeley’s IT architecture team. “We are reinforcing an expectation of privacy among the students, faculty and staff, and helping to educate the next generation’s leaders. This positions our campus community to actively engage in the national debate on these issues.”
Jason Schultz, a law professor and the director of the Technology Law and Policy Clinic at New York University, says, “What’s most important is that, by committing to transparency, we can now begin to see the long-term trends for UC–Berkeley and if there are any spikes around important political events, such as protests or rallies.” Student activists and faculty can even use the transparency report to leverage changes in campus policy. If other universities jump on the bandwagon, Schultz says, “it will also give us a better sense of the relative level of privacy that UC–Berkeley offers to its students verses other campuses, especially in terms of asking that law enforcement officials go through the proper oversight channels, such as getting a warrant from a neutral judge.”
It’s particularly important because there's a robust history of government surveillance of faculty and student activity. In the 1960s the CIA had an entire strategy dedicated to infiltrating the students’ rights movement in an effort to counter communism. The days of communist panic may be gone, but in 2012, it was revealed that the New York Police Department had bugged the meeting and prayer rooms of the Muslim Student Association at NYU and other East Coast universities. Federal surveillance programs clearly have an interest in contemporary university life, making transparency about steps a university takes to protect personal data on campus networks even more essential.
Other higher-ed institutions should follow Berkeley's lead—maybe even compete to have the most informative disclosures. For example, future transparency reports could also provide examples or specifics about certain cases they've encountered, similar to what Wikimedia did with its innovative reporting on copyright takedowns. Future campus reports might also consider disclosing how vendors like Google or library catalog systems collect data on faculty, students, and staff, a step that would also go beyond current federal education privacy law.
It might be a lot of work for universities. But as educators know better than anyone, knowledge is power.
Disclosure: The author previously worked at the Electronic Frontier Foundation, where she advocated on digital privacy issues in university communities.
*Correction, Sept. 18, 2015: This post originally miscalculated the percentage of live accounts affected by nonconsensual searches at UC Berkeley. Thirty-nine divided by 77,000 equals 0.0506 percent, not 0.000506 percent. The count of Apple customers affected by government search was also misstated. Its transparency report notes 0.00571 accounts have been affected by government search, not 0.000571, as reported.