Wednesday, February 26, 2014

Exclusive: the response to AUB president Dorman from the Executive Committee of AUB Faculty United

An inside source shared this statement by the Executive Committee of AUB Faculty United:  "Dear President Dorman, We have read both the official report posted on the Office of the President Webpage, and the leaked version posted on Al-Akhbar website of the Faculty Working Group (FWG) that was formed in the aftermath of allegations that the entire database of faculty and staff email records had been copied and given to the Office of Internal Audit (IA) last year. As stated in the FWG’s findings, these allegations sadly turned out to be true. We also learned, to our dismay, that the IA has been receiving logs of all outgoing and incoming phone calls of campus telephones, in addition to email communication logs. While we welcome your clear endorsement of the FWG’s recommendations, we deem your response as incommensurate with the gravity of the FWG’s findings and the apparent ill-conceived exercise of authority in a manner that potentially compromised a large amount of sensitive private data at AUB. We find it disturbing that you appear to defend the actions of those involved, rather than holding them accountable. Reading the published report, we note the following: - Although the FWG report seems to have been completed weeks if not months ago, it appears as if it took the Al-Akhbar leak on Saturday February 21, 2014 for it to be disseminated by the Office of the President. Principles of transparency necessary for the good governance of the University would have dictated that the report be issued by the Office of the President in a timely manner, avoiding this public embarrassment to the University and its faculty members. - The FWG findings provide no assurance of the statement in your email of Monday February 24, 2014 that “[…] no email access occurred other than in the context of an approved investigation, and then with specific authorisation” (page 2 of your statement, point 2). To the contrary, the report explicitly states that there was no traceable chain of custody for this very large and sensitive dataset. Indeed, the protocol developed between the Chief Information Security Officer (CISO) and the Internal Auditor was not implemented as agreed (section D, point 12). Furthermore, there is no evidence that the disks were destroyed or that they were not shared with third parties except for the unrecorded testimony of the Internal Auditor (no members of the IA office were allowed to be interviewed by the FWG to corroborate the Internal Auditor’s statements). The refusal by IT to stand witness to the destruction of the disks is also a telling statement (broken chain of custody; section D, point 14). - The report states that IA has “wide reaching” power and authority over communication within AUB, and this power may be used without checks or accountability: “These powers were exercised [italics added] without a clear mechanism for oversight during the audit investigation”. Paragraph 3 of same section states that “since January 2012, the IA office has regularly received phone logs of all [italics added] outgoing and incoming calls to AUB extensions” (Section C, Page 7). Given that faculty members and staff are not informed of this NSA-like practice, we believe that it constitutes an unjustified violation of their privacy rights. - The report also highlights that the “IA was intending to mirror the complete email system of AUB in order to obtain immediate real time access to mailboxes. Real time access was also requested to the telephone logs” (italics added; Section D, point 3). We are outraged at this allegation of unrestricted real time monitoring of faculty and staff when the IA’s role is limited to risk management. Moreover, we are shocked to learn that copies of email log files are provided to IA and to VP-Legal Affairs. - Section D of the report focuses on the actual “Incident” of transferring the AUB email database outside the IT Data Center. The report highlights the following points that are worth considering: a. AUB’s CISO clearly objected to removing the email archive from the IT Data Center, and felt compelled enough to write the administration “questioning the appropriateness” of such an action (Section D, paragraph 8). b. This “cautionary” note did not prevent someone higher in the administration hierarchy (not explicitly named in the report) from ordering CISO to “comply and provide the two hard disks to the IA” (Section D, Paragraph 11). We would like to know who issued these orders. - The report states that the FWG was not allowed to meet with key actors or to access key documents deemed “relevant” in its inquiry: “Although the FWG met with the University Auditor, the request by the group to meet with the IT Audit Managers at the IA offices was denied. The FWG was also denied [sic–by whom?] access to what it deemed to be relevant documents that were in the possession of the IA office and the VP-Legal Affairs” (page 5, paragraph 3). No justification was provided for why the FWG was not allowed access to key staff and documents. - Similarly, while all interviews were audio-recorded, both VP Legal Affairs Peter May and Internal Auditor Andrew Cartwright refused to follow this procedure. Why did these two key administrators refuse to comply when the AUB President, Provost, COO, and others followed this procedure? President Dorman, we believe that the absence of explicit policies and procedures does not constitute sufficient grounds to violate common-sense security protocols and override the CISO’s concerns. The absence of a clear “chain of custody” of the hard disks is alarming considering the sheer volume of sensitive data involved that if placed in the wrong hands could harm AUB. Furthermore, you mention in your message the data privacy challenges faced by universities worldwide, including Harvard University in 2013. We note that the controversial email search at Harvard University is widely believed to have led to the departure of the former Dean of the College Evelynn M. Hammonds shortly after the event garnered criticism of faculty, students, and the US media. We hope that you will hold your administration to the same high standards and accountability that you expect of your faculty and staff. The report is clear in that the actions of Internal Auditor Andrew Cartwright in moving the data out of the IT Data Center were questionable at best, and the actions of another person not named in the report in forcing CISO to unwillingly hand in the hard disks may constitute an abuse of authority. We are appalled that this serious breach of data privacy is being handled at the “policies and procedure” level, when a stronger message needs to be communicated to the AUB body: A culture of unchecked use of authority and disrespect for the basic human right of privacy should be discouraged. We urge you to hold those who violated this right and mishandled important AUB data accountable.
The Executive Committee of AUB Faculty United."