Today we are sharing two pieces of news: 

  • First, an urgent letter from four colleagues in the School of Computing warning about the impact of Endpoint Protection on privacy, academic freedom, and security. As the authors note, these issues have not been made clear by the university. Please share the letter widely.
  • Second, the Equity Committee of the Department of Philosophy is hosting a panel on Equity and Austerity on Monday, March 3, in Jeffrey Hall 115, from 2:00-3:20 pm. All are welcome to attend.

Open Letter on Privacy, Academic Freedom, and Security under Endpoint Protection

Queen’s is rolling out a requirement that faculty members enroll our personal devices (laptops, mobile phones, etc.) in Endpoint Protection this semester to access Queen’s tools like email, calendars, and OnQ. The software grants outside access to and control over those devices in ways that raise serious concerns for privacy, academic freedom, and security. These serious issues have not been made clear by Queen’s. As members of the School of Computing, we hope to remedy that in this article.

Endpoint Protection is a Microsoft product bundled with Teams, Sharepoint, Office, and Outlook that controls access to those tools and provides protection from viruses and other attacks. A few years ago, faculty and staff were required to install the software on all Queen’s owned computers and on any devices that needed access to finance and HR applications. It is now being required of all faculty and staff on all devices, Queen’s owned or not, to access most Queen’s resources (including email, calendars, and OnQ). Many faculty work remotely and on the go, often using personal laptops or personal mobile phones. Work calls now happen on our personal phones since Queen’s has removed phones from our offices. In order to continue using personal devices for work, we are now being required to put them under the control of Queen’s ITS and Microsoft.

The legitimate purpose of Endpoint Protection is to ensure that any device accessing Queen’s services is adequately protected from unauthorized access and malware. Queen’s needs to ensure this protection for insurance purposes. However, Endpoint Protection’s reach extends far beyond these legitimate purposes. It allows access to your computer or phone’s files and apps by both ITS staff and by Microsoft, as well as the ability to erase your data and run scripts on your device, which effectively allows unlimited access. In an interview with The Journal, ITS information security officer, Paul Muir, admitted that “data from personal devices such as photos, e-mails, or health information” could be accessed by ITS workers. Your dating app, your period tracker, your mental health journaling app, your selfies, and your texts would all be visible to ITS. The only assurance we’ve been given that ITS staff will not make use of that capability is that Muir trusts his colleagues not to do it, and Queen’s “doesn’t intend on accessing that information”. This is, frankly, alarming.

Even if ITS staff are generally trustworthy and professional, and if we could trust Queen’s leadership never to act against the interests of faculty, the situation is rife with potential for abuse and conflicts of interest. Students who work for ITS could succumb to the temptation to peek at exams or find information they could use to blackmail professors. This access could be used to spy on exes or stalk crushes. It could be used to interfere with union negotiations or tenure cases. None of these kinds of abuses should be facilitated.

In addition to being an invasion of privacy, Endpoint Protection is also an attack on academic freedom. Faculty members who need to store sensitive information for their research or service work use tools like Signal and Proton Mail for secure communications. Endpoint Protection would put that information not only in the hands of ITS workers but also Microsoft, a US-based tech company. Given the political situation south of the border, this means that anyone doing research about topics like abortion access, gender-affirming care, prison abolition, black studies, or technology policy has reason to be wary of their files being readable and erasable by foreign actors. (Microsoft is in partnership with OpenAI, which Elon Musk is attempting to purchase, so this is not just sci-fi-fueled paranoia.) We are being put in a situation where sensitive topics might need to be recorded on paper only. Some of us may be driven not to engage in sensitive research anymore in this environment.

This level of invasive access is not needed for the purpose of security and in fact, compromises security. The tool chosen is inappropriate for its stated purpose. Technology creep is a well-established phenomenon: if technology makes something possible, people will use it for that purpose, regardless of intentions. ITS (who get its mandate from higher administration) has shown a tendency to keep pushing for more invasive access to our devices despite past promises. When Endpoint Protection was first rolled out for Queen’s owned devices, they assured us it would never be required for personally owned devices. They are going back on that promise now. When two-factor authentication was being rolled out, they promised we would only have to give our credentials once every 30 days. That turned out to be laughably untrue. Endpoint Protection has many additional features that ITS says they are not implementing, but those features could be implemented in the future, as there is no procedure in place to prevent it. Once our devices are enrolled in the program, there will be nothing stopping ITS from making use of this access other than the flimsy protection of trust.

Unenrolling your device is possible, but unenrollment may not stop Microsoft from being able to access your device as there is no guarantee that the software will be removed upon unenrollment. This is particularly concerning for temporary adjunct faculty.

If there is no legitimate need for information, good security practice dictates that the information not be collected or stored. If access to information needs to be limited to particular purposes, good security practice dictates that there should be processes in place to monitor and control access. ITS is proposing to collect information for which Queen’s has no legitimate need, and has no process in place to adequately control access. This puts faculty members’ privacy and Queen’s operations at risk of more serious breaches. If an ITS worker’s credentials were compromised, that could give an outsider access to hundreds of personal and work devices. Endpoint Protection also creates a single point of failure. In the event of a malware attack, ransomware attack, or server crash, all linked devices would be affected, potentially bringing down the entire system. Without Endpoint Protection, each individual device is at much less risk from such adverse events.

So far QUFA’s response has been not to raise any objections to the new policy, and simply encourage members not to do work on our phones in the spirit of better work-life balance. While better work-life balance is a goal we share, we find this response disappointing. QUFA members should have their right to privacy and academic integrity upheld regardless of their work-life balance and which devices they use to achieve that balance. Some of us are parents of young children, so need to take 3pm Teams meetings from the schoolyard, catch up on emails while waiting for gymnastics class to let out, or need to remain reachable even if we’re dealing with an emergency trip to the orthodontist. Being able to work on our phones in circumstances like these is what allows us to balance work and life. Many of us also depend on a quick look at our calendars first thing in the morning, and at being able to connect to a Teams meeting on a phone if our laptop is having wifi issues, or the battery runs out. We all have different ways of managing this job, and suggesting that all QUFA members can get by without ever working on personal phones and laptops is unrealistic.

After looking into the technical specifications of Endpoint Protection software our recommendations are the following.

  • For Linux devices, there is not yet any compatible software, so you can request an exception from ITS and continue using your device without installing anything.
  • If your work involves sensitive topics, you may want to consider keeping associated files and communications in apps that do not provide a backdoor to ITS and Microsoft, and either getting a second computer for accessing Queen’s tools, or appealing to ITS for an exception for your device, so that you can continue to use essential tools like email, PeopleSoft, and Ventus. (It is not yet clear whether ITS will grant exceptions on these grounds, but one of the authors is currently trying this route.)
  • For Android phones, the software only gives full access to a partition where work-related apps are stored. Other files and apps on your device are not affected, though a list of installed apps is visible. For many users this makes the software no more invasive than it is on a Queen’s owned computer, so we see no major objections to installing the software. However, if the existence of certain apps on your phone could reveal personal information like disability status or sexual orientation, you might consider not installing the software.
  • For iPhones, iPads, Macs, and Windows computers, the software affects the entire device, so we recommend not installing it on any device that is not used exclusively for work purposes. Serious concerns remain about remote access to confidential research files.

If you do not install the software, here are some workarounds that you might use to continue to do your job without access to Queen’s email, calendars, Teams, and other tools. All of these come with drawbacks, so should be considered carefully:

  • It is possible to forward your Queen’s email to an outside email provider. From Outlook, click on Settings -> Mail -> Forwarding. You could also give your colleagues and students an external email address to use for everyday correspondence. Proton Mail is an option with excellent security and privacy, but also consider using a provider that will store your data on Canadian servers. Note that forwarding email to external providers may violate FIPPA and Queen’s policy, so we cannot recommend this strategy.
  • Your Queen’s calendar can be shared with an outside email account. From the calendar view of Outlook, click on Share, enter an email address, and make the status “Can view all details”. This will give you a URL you can use to add a calendar subscription in your calendar app. In iCal, click on Calendars -> Add Calendar Subscription. You can also make a work calendar in your calendar app to organize the events you schedule yourself.
  • When you schedule virtual meetings, you can use an outside provider like Zoom (with a personal account), Discord, or for more security and privacy, Signal.
  • Instead of using Teams to organize group projects, you can use an outside provider like Slack, Discord, or for more security and privacy, Signal.
  • Instead of using OnQ for your courses, you can have students submit assignments on paper or by email, and keep grades in a spreadsheet.
  • When you need to download rosters, upload grades to PeopleSoft, or check Ventus for accommodations, you can borrow an enrolled device from a colleague or use library computers. Library computers do not have access to finance and HR websites.

Note that these workarounds will mean lost productivity and less responsiveness to students and colleagues and in the case of email forwarding, potential liability and decreased security. It is common knowledge among privacy scholars that when workplaces increase security measures beyond the point that workers find reasonable, workers use shortcuts that end up decreasing security (like posting passwords to shared computers on sticky notes or using passwords like P@ssword123!).

Our hope is that the university will reconsider the decision to require Endpoint Protection on personal devices and that in light of this information, QUFA will step up to apply pressure toward that goal. Endpoint Protection is not the only way the security Queen’s needs for insurance purposes could be achieved. However, if the rollout goes ahead, the workarounds above at least provide ways of continuing to get our work done without accepting this incursion on our privacy, academic freedom, and the security of our research data.

Signed:

Christian Muise, Wendy Powley, James Stewart, and Catherine Stinson

With thanks to several other colleagues who shared information and concerns.

Leave a comment