The COVID-19 pandemic has made surveillance more pervasive than ever in schools, universities, and much of daily life over the past few years. However, graduate students at Northeastern University successfully organized and thwarted an attempt to implement intrusive monitoring devices that were covertly hidden under desks at their institution back in October.
At the school's Interdisciplinary Science & Engineering Complex (ISEC), a building utilized by graduate students and the location of the "Cybersecurity and Privacy Institute" that researches surveillance, Senior Vice Provost David Luzzi put motion sensors beneath every desk at the beginning of October.
According to a blog post by Max von Hippel, a Privacy Institute PhD candidate who wrote about the situation for the Tech Workers Coalition's newsletter, these sensors were installed at night—without student knowledge or consent—and when students were asked for an explanation, they were told this was part of a study on "desk usage."
When academic institutions compete for access to facilities, those with the best funding or who receive the most grant money tend to prevail. It may make sense for the university to attempt and investigate how desks are used in order to increase or optimize access to the ISEC because it is a wonderful building, the computer science department brings in a lot of money, and they get to use it a lot.
But according to Von Hippel, since workstations are assigned and badges are needed to enter the rooms, desk utilization can already be monitored. Instead, he thinks the sensors were used as an excuse by the building's owner, the administration, to eject computer science students who don't make as much use of it as other students might.
Students started to voice concerns about the sensors as a result, and Luzzi responded by sending an email that attempted to answer the concerns made by students.
“In order to develop best practices for assigning desks and seating within ISEC, the Office of the Provost will be conducting a study aimed at quantifying the usage of currently assigned seating in the write-up areas outside of the labs and the computational research desks,” the email reads. “The results will be used to develop best practices for assigning desks and seating within ISEC (and EXP in due course).”
An unplanned listening session was held in the ISEC after that email. Luzzi urged graduate students present at this initial listening session to "trust the university since you trust them to grant you a degree." Luzzi said that "we are not performing any scientific here" as a further justification for the choice to forego requesting IRB permission.
After that, the Privacy Institute students—who focus on researching surveillance and undoing its negative effects—started removing the sensors, hacking into them, and creating an open-source manual to help other students do the same. Students at the Privacy Institute discovered that contrary to Luzzi's claims, the gadgets were only moderately secure and the data was not encrypted.
"The way that this facility's students, including myself, obtain publications is by examining the shortcomings of systems like these. They could not have chosen a better group of students to figure out why their study was flawed, so we explain what's awful about them and why they don't work," von Hippel added.
Students hacked the devices and then sent an open letter to Joseph E. Aoun, the president of the university, and Luzzi requesting that the sensors be taken down because they were intimidating, a part of a poorly designed study, and were used without IRB approval despite the fact that human subjects were the focus of the purported study.
“Resident in ISEC is the Cybersecurity and Privacy Institute, one of the world’s leading groups studying privacy and tracking, with a particular focus on IoT devices. To deploy an under-desk tracking system to the very researchers who regularly expose the perils of these technologies is, at best, an extremely poor look for a university that routinely touts these researchers’ accomplishments. At worst, it raises retention concerns and is a serious reputational issue for Northeastern,” the letter reads.
Then there was another listening session, this time just for professors, and Luzzi argued that since the devices "don't perceive humans in particular, they sense any heat source," they are not subject to IRB approval. Later, more sensors were taken out and placed in a "public art piece" that read "NO" in the foyer of the building.
In response to the open letter, which has gained widespread distribution and hundreds of signatures, as well as ongoing complaints and sensor removals, Luzzi then issued an email arranging for another listening session to address students and faculty. By all accounts, that listening session was a complete failure.
In a transcript of the event that Motherboard reviewed, Luzzi tries to allay worries that the study is intrusive, carelessly executed, expensive, and probably unethical. When a faculty member reveals that the Institutional Review Board (IRB), which ensures that the rights and welfare of human research subjects are protected, never received any submissions, he claims that they submitted a proposal to the IRB, only to concede that this never happened.
Luzzi also made an effort to brush off the issues as being unique to the Privacy Institute because "your lived experience is more desk-centric" as opposed to other graduate students.
Von Hippel then posted on Twitter what quickly gained popularity, detailing the complete sequence of events from the covert installation of the sensors to the listening session that day. After removing the sensors, Luzzi sends one final email reading:
"Given the concerns voiced by a population of our graduate students around the project to gather data on desk usage in a model research building (ISEC), we are pulling all of the desk occupancy sensors from the building. For those of you who have engaged in discussion, please accept my gratitude for that engagement."
This was a particularly enlightening experience because it demonstrates that monitoring need not be ongoing and that those who are impacted by it can work together to eliminate it. Von Hippel claims that the department of computer science is overrun with union members, which contributes in part to their success. The majority of the engaged students were not members of an established NLRB union, as were the graduate students at the university in general. However, graduate students are in a good position to put pressure on colleges when they make unreasonable or immoral demands.