When on campus, students, faculty, staff and community members are almost always connected to one of the UBC’s approximately 8,700 wireless routers. And for the most part, the university’s wireless networks like ubcsecure and ubcvisitor are fast, convenient and reliable.
But the cost of that convenience is the data UBC collects from every person connected to those wireless networks.
The administrative unit that manages these networks is UBC Information Technology (IT), and it collects data such as Campus-Wide Login (CWL) usernames, the media access control (MAC) address of users' devices and location. Most of the time, this data is collected for the purpose of supporting users who are experiencing issues with wireless networks.
This data is used internally within UBC IT, and it’s used for troubleshooting technical problems to do with the wireless networks, according to Network Analyst Devin Kettle. It’s also used to figure out how to improve and maintain the quality of the networks, as well as for recovering stolen devices.
“Any data that is used outside of this context, for example, by UBC Energy & Water Services to generate building occupancy counts, is anonymized by a function in the wireless control system servers that scrambles username and wireless device MAC address,” said Kettle.
In 2015, a pilot project took place in the Irving K. Barber Learning Centre with the help of private company Sensible Building Science (SBS) and its co-founder, Stefan Storey, who holds a Master’s degree and PhD from UBC.
Now being used regularly in the library and many other buildings on campus, SBS’s product “the Bridge” uses anonymized occupancy data to change the airflow in a room based on how many people are connected to wireless networks.
While this anonymized information can be given to external sources working with the university, UBC IT still internally stores the non-anonymized data of your CWL username and location.
“The data [collected for use by external services such as UBC Energy & Water Services and SBS] is retained for 7 days and is then destroyed. Data that are retained internally by UBC IT system logs have a 1-year horizon,” said Kettle.
This information is only viewable by a limited number of people who are audited regularly, which may put worries about personal information to rest for some. But for others, the fact that this information is being collected at all is a concern because it’s not common knowledge.
Sara Neuert, the executive director of the BC Freedom of Information and Privacy Association (FIPA), is concerned that UBC does not educate users of their Wi-Fi that this is happening.
“What is the purpose of that collection? There should be a place where the students can ask those questions and try to be informed because, the thing is informed consent, which doesn't sound like it’s really happening. I think that's where it becomes problematic,” said Neuert.
She recommended that the university adopt a policy of transparency about how data is stored and accessed.
UBC’s Policy SC14 is the main university policy that governs electronic information, and it has to operate in compliance with BC’s Freedom of Information and Protection of Privacy Act (FIPPA).
Paul Hancock, UBC legal counsel of information and privacy, explained that any use of personal information is strictly regulated by this legislation.
Under FIPPA, projects involving the use of personal data have to go through a Privacy Impact Assessment (PIA), according to Hancock.
“What the PIA process does is it looks both at the privacy of the data, are we allowed to use it, but also the security of the data, how's it going to be protected? So if data was being, for example, transmitted over email without encryption, that would be a big issue. That would probably not be permitted under the information security standards,” said Hancock.
However, if this personal information were to be compromised, there is legislation to ensure that those affected know about it.
“Under FIPPA, if there is a breach of your personal information, they are required to notify the person who's been impacted by that breach, and they [get a] letter,” said Neuert.
She also said that BC FIPA has started to advocate for a law that requires mandatory breach notifications to the office of the Information Privacy Commissioner. Such notifications would force UBC to be transparent and forthright about the misuse of students' data.
“If a public body has a breach, and they can happen, then that will be the first step: to contact that office, notify them of the breach and work with that office to actually create a plan for the breach redemption,” said Neuert.
“Because right now, there's no penalties.”
The Ubyssey is looking for student perspectives on data privacy. What do you think of how UBC IT manages its users' personal information? You can send your thoughts and letters to news@ubyssey.ca.