Logged on to UniWireless?
This article appeared in our print edition for the week beginning Monday 22rd August. Since that edition went to print, the University has responded to our questions, and the online version of the article (which you’re reading now) has been updated to reflect their comments.
If you have a phone or laptop set to automatically connect to UniWireless, then the University is recording where you go on campus and how long you spend in each place.
It’s using this data as part of a “learning analytics” project, that aims to, according to the University’s media statement on the matter, assess “how intensely and effectively the University’s infrastructure is used” — that is, how much students and staff are using all of the spaces in the University, and how people are moving around campus.
This wifi tracking, or “wifi analysis” as the University puts it, is “particularly important as we plan for the lengthy construction period of the Melbourne Metro Rail project, which will create disruption to access in and around the Parkville campus.”
Nevertheless, the project raises obvious privacy concerns. The University is quick to point out that its projects that use the data are not looking at individual students, but rather “only at aggregate data, mostly at total building level” — and indeed, there’s no evidence to suggest that the University is doing anything but that.
While the University’s statement doesn’t set out exactly what data is collected, data relating to individual students moving through campus was almost certainly collected and stored in the process of generating the aggregate data used for the project.
Even if the University ultimately has no nefarious intention for the data, the last few years have seen a number of well-publicised data breaches, with attackers successfully accessing data from sources ranging from the U.S. Government’s Office of Personnel Management, to the University of Sydney’s online economics experiment database.
A spokesperson for the University told Parkville Station that the data are securely stored according to the University’s “normal data retention and access protocols”. The University also assured us that no data was shared with any third parties, and that they wouldn’t do so in the future: “No data has been or will be shared with any party outside of the University”.
University of Melbourne Student Union (UMSU) President Tyson Holloway-Clarke told us that UMSU was “currently working with the University to fully understand” the current and future scope of the programme but that UMSU’s “understanding of the campus analytics program and the corresponding policies have not significantly improved since it became a matter of public interest and [they] are keen to know more”.
UMSU Education Academic Affairs Officer Tom Crowley thought the most important thing for the University to do was “make clear what is and isn’t being used”, as well as providing an option for “students who have concerns to opt out”.
The University, for its part, is confident that its disclosure and policy obligations are met, saying that “The University has clearly articulated terms and conditions for using its WiFi that all users are required to accept before full access is provided.”
While it’s true that the University’s enrolment declaration requires students to be “bound by the statutes, regulations, policies procedures and guidelines of the University”, we’re not aware of any requirement of consent in connecting to UniWireless other your central username and password.
Digging down into it, the University’s Privacy Policy requires the University to disclose what personal information is collected, how it’s used, and how it’s stored. The closest match to cover this particular case we could find is the “Provision and Acceptable Use of IT Policy” (MPF1314, if you’d like to look it up), which was approved at the start of June to replace the old Regulation 8.3.R2, repealed as part of the Uni’s policy consolidation project.
That policy contains a provision that “[p]roviders must maintain and retain for at least six months a record of users who have used facilities under their control and may use those records for purposes such as monitoring and managing the performance of facilities, cost recovery and load management”. We’re a bit sceptical that people would draw from that sentence that a project like the one described above is being carried out.
We haven’t exhaustively searched University policy, but we think there’s a legitimate question as to whether the disclosures the University has made to staff and students are enough to enable the “voluntary, informed, specific and current” consent encouraged by the University’s own summary outlining “Our Privacy Responsibilities”.
The University pointed us to its generic Privacy information page in response to our question about the policies governing the privacy aspects of the project.
Asking a totally-unrepresentative sample of the student population (check out the vox pops on page eight of the print edition for some of them) supported the hypothesis that most students didn’t know about the project was correct. That said, most (although certainly not all) of the students we asked didn’t have a particular problem with the project, acknowledging the value that the campus analytics provided. (Not to mention the incentive to keep UniWireless in top-notch condition.)