When it came to light last summer that a hacker had broken into the UCLA Health System’s computer network, the uproar was understandable.
The breach potentially compromised the medical records of some 4.5 million patients – names, birthdates, Social Security numbers, diagnoses, all unencrypted. It was unclear how many months the intruder had been rummaging around undetected. Within days, the university was facing 17 lawsuits.
The university, understandably, wasted no time in battening down the cybersecurity hatches. A former secretary of Homeland Security, UC President Janet Napolitano swiftly contracted with outside security experts to more tightly monitor all digital traffic at the UC’s 10 campuses.
Because of the litigation and security concerns, though, faculty representatives and staff apprised of the situation couldn’t publicly discuss the operation. So when word leaked that UC could now track information that, until then, had been private – what websites users had visited, for instance, and headers on emails – some were, again understandably, outraged.
At UC Berkeley, where suspicion of authority is hardwired into the faculty culture, a dozen or so tenured members went public last week with concerns that Napolitano had opened the door to gratuitous snooping. That’s highly unlikely, but to the extent that attorney-client privilege will permit a conversation, bringing more wise minds to this thorny issue can only be to the common good.
Balancing privacy and security in an age of terrorists, hackers and domestic spying is shaping up to be one of our major challenges. A recent Pew Research Center survey found that only 9 percent of Americans believed they had a lot of control over how much information is collected on them.
On the other hand, a Gallup poll last year found that Americans are more afraid of being hacked than they are of being robbed, mugged or murdered. And what hackers love most are big databases of personal information – the kind kept by, say, health systems and universities.
It’s tempting to remind the Berkeley professors that theirs may be the last employer in the state where it isn’t taken for granted that the boss is monitoring every keystroke at every workstation. But universities are different. A browsing history, carelessly stored, could open controversial research to political attacks, or get a foreign student’s visa revoked in some dissident witch hunt, or potentially threaten job prospects for undergraduates following their curiosity.
Data in the UC system have generally been more secure even than data on personal laptops and smartphones, and part of the faculty’s fear is that, in adding another set of eyes, third-party monitoring might backfire. Some note that UC still hasn’t explored some basic and less intrusive security options, such as strengthening passwords with two-step verification.
That said, it also might help if the faculty were to park their high horse for a minute and have a little more faith in Napolitano. Berkeley dream scenarios aside, they aren’t Edward Snowden outing the National Security Agency for widespread domestic surveillance.
Clearly, the UCLA litigation, which is still pending, put the university between a rock and a hard place; tenured professors are sophisticated enough to know that. But now that the cat’s out of the bag, working together on this quandary in good faith could yield a real contribution. To that end, a little understanding would go a long way.