AU installs surveillance software without forewarning or data governance
From https://aufa.ca/blog
Last week several AU staff received a notification that software called Netskope was installed on their AU laptops. The extent of the installation is not known completely.
Last week, AU staff received a notification that software called Netskope had been installed on their company laptops. Netskope is a suite of security software, but importantly the software that has been installed is specifically for employee monitoring. “Man in the middle” software such as this is typically for monitoring protection of privacy acts and security requirement for intellectual property. This software is installed on both PCs and Macs.
This is importantly not limited to AU systems. As the software is on a laptop, it means everything on that laptop can be monitored, which includes web traffic, documents and the content of emails in -any- email system whether it is gmail, or my own AUFA email system. Accessing AU systems via a personal computer will not be subject to the same monitoring as Netskope will not be installed on your personal computers.
Although there have been assumptions about employee monitoring at AU for years by staff, this has not been the case. Previously, any access to information such as stored documents or emails has been tightly controlled with no easy access for management or IT staff. By installing software such as this, Netskope tracks traffic from the computer, which allows AU to gather, store, and review any information they so wish.
In this last round of bargaining, our team attempted to get language which would prevent surveillance, which was dismissed by AU as something they’d never consider, going so far as to say “you have rights”.
What can Netskope track?
Our understanding of Netskope is that it can be used to track any activity on AU cloud-hosted systems and monitored websites. There is the possibility this software could be used for far greater surveillance but its extent is not entirely known. Appropriate governance and public documents over its intended purpose is the best way for AU to settle any fears.
We understand that this software does not currently do retroactive searches (such as through the history of your Teams chats) but this is a potential use for it.
Lack of data governance
We are completely unaware of any attempts to implement appropriate governance of this massive new data collection initiative. FOIP rules indicate that anyone whose data is collected by a public institution should know how it is collected, stored, accessed, and for what purposes. They must then be informed of any changes to the above. Currently there appear to be no rules at all to how this data will be controlled.
This has profound implications for research ethics, as well as for AUFA members whose communications on AU computers contains “for your eyes only” information such as legal opinions, research data, medical information, or any variety of personal information that is passively collected by the employer. There is a long history of AU staff, particularly academics, using AU computers for personal use which is allowed within policy. That personal information is now subject to employer monitoring.
Monitoring for policy compliance
Additionally, this software is used to monitor compliance with AU policy such as workplace behavioural standards or to pursue leaks of sensitive information or IP. Academic research may routinely engage in subject matter which is considered “not safe for work” such as scholarship on sexuality, sex work, pornography, racism, other forms of bigotry, and profanity itself. This could trigger disciplinary investigations into academics doing the jobs they were hired for. There are also profound concerns over equity as LGBQ and 2STNBGC content is often considered inappropriate for workplaces as a form of passive discrimination.
Monitoring staff in any circumstance is a gross violation of reasonable expectation of privacy. Monitoring academics at a research university is a spectacular act of self-sabotage which compromises the very mission of the university. Academic freedom is impossible in a climate of surveillance as all research activity comes under the scrutiny and thus approval of the boss.
Advice
AUFA is currently investigating this and will strongly fight for the right to privacy for our members through all means possible. We advise that AUFA members who have had Netskope installed on their work laptops immediately remove any personal information from those computers as well as from any cloud systems controlled by AU such as OneDrive. Please be aware that any confidential, private, and personal information may be subject to data collection by the employer.
It is feasible for the employer to implement such software and implement strict safeguards to ensure that security incidents are caught, but the software is not used to gather or monitor employee behaviour on systems. This would require careful governance and extensive consultation with staff representatives.
There are many unanswered questions about Netskope and its intended use. What we have now is an idea of what has been installed, its intended use, and its potential for further use. We will keep members updated as more information becomes available.
Solidarity,
AUFA President
David Powell