For Years, IS&T Has Monitored Network Data Without Policy

2021 networkmonitoring
Graphs showing network traffic entering IS&T’s network security monitoring system.

Since 1999, Information Services and Technology has been collecting information about campus network traffic without an official policy governing how it may use or store the data.

Currently, IS&T monitors all network connections within campus, originating from campus or destined for campus, and makes a record of who connected to whom.

For instance, the logs would be able to show that a student visited a particular website at a particular time, but not what the website contained.

According to Timothy J. McGovern, Manager of I/T Security Support, this information is only stored for three days, though there is no official policy.

IS&T also monitors raw data going from and to MIT, which is scanned for anomalous patterns. Though it is possible for someone to look at the raw data, McGovern said that nobody does. Any suspicious activity is logged for no more than 30 days, McGovern said.

McGovern emphasized that no one outside of IS&T has access to the raw data or logs.

IS&T does not publicize any of these practices on its website.

Undergraduate Association President Noah S. Jessop ’09 said he was surprised that IS&T was collecting this information without notice. “It is not the kind of thing I would expect from MIT, and it is definitely not the kind of thing that I would expect to hear long after the fact.”

Data and connections being recorded

IS&T collects information on network activity in order to investigate compromised machines, which are machines that have been hacked or have a virus or worm. All connections are monitored, not only in academic buildings but also in dorms and FSILGs.

When I/T Security Support detects a compromised machine, they typically confirm that the machine is affected and then contact the machine’s owner to inform them of the compromise.

IS&T collects information about every connection on campus, and keeps it for three days. The logs include the connection’s source address and port, destination address and port, start timestamp, end timestamp, and the amount of data transferred over the connection. The logs don’t include any of the raw data that is transferred. McGovern said that the connection information is only stored for 3 days, and described that time as the “current operating policy.”

IS&T also scans a portion of all raw data that passes in and out of campus. The data is fed into an intrusion detection system that flags suspicious activity. McGovern said the raw data is not stored. Mike Halsall, information and network security analyst, said that the logs of suspicious activity are not kept for more than 30 days.

For both the connection logs and the suspicious activity logs, only two people have access: Halsall and Tom N. Jagatic, senior IT security consultant, both of whom work for IS&T. Jeffrey I. Schiller ’79, MIT Network Manager, confirmed that this data is being generated and it is only being sent to the I/T Security Support team. Schiller and McGovern both said that they have never seen a subpoena for these logs.

MIT has briefly stopped monitoring in the past. In 2004, as IS&T was undergoing reorganization, the raw data feed was shut off, which prompted complaints. According to McGovern, the port was turned back on when staff contacted Jerry Grochow ’68, the Vice President of Information Services and Technology, saying that “being able to detect and recover compromised machines was a good thing,” and Grochow directed that the port be turned on.

No Official Policy

Officially, IS&T collects DHCP logs, which are used to link people’s computers to their online addresses. These logs are what are typically subpoenaed when the RIAA or MPAA is pursuing an alleged copyright infringement case. The policy regarding DHCP logs is published on the IS&T website.

In contrast, IS&T does not appear to have any policy covering the retention and use of connection or security logs.

Professor Harold Abelson, who teaches 6.805 “Ethics and the Law on the Electronic Frontier,” found it troubling that these logs were being collected without public knowledge. “It’s a violation of fair information practices to be keeping logs that people don’t know about … If they’re collecting logs, they have to inform people that it’s there. If they’re collecting logs, there has to be a policy on how those logs are used or not used.”

Abelson also said that because these logs could involve student information, having a policy is especially important. He said that a policy would probably need input from the Council on Educational Technology.

About the logs, Jessop said “It’s egregious to implement measures on the network that could be used to circumvent user privacy without both policies and procedures in place and some means for the users to understand what the implications to them might be,” Jessop said.

“If you told me this was Comcast, I wouldn’t have been quite as surprised,” he said.