Graduate Students Analyze, Crack, and Remove Under-Desk Surveillance Devices (vice.com) 86
"Graduate students at Northeastern University were able to organize and beat back an attempt at introducing invasive surveillance devices that were quietly placed under desks at their school," reports Motherboard:
Early in October, Senior Vice Provost David Luzzi installed motion sensors under all the desks at the school's Interdisciplinary Science & Engineering Complex (ISEC), a facility used by graduate students and home to the "Cybersecurity and Privacy Institute" which studies surveillance. These sensors were installed at night — without student knowledge or consent — and when pressed for an explanation, students were told this was part of a study on "desk usage," according to a blog post by Max von Hippel, a Privacy Institute PhD candidate who wrote about the situation for the Tech Workers Coalition's newsletter....
Students began to raise concerns about the sensors, and an email was sent out by Luzzi attempting to address issues raised by students.... Luzzi wrote, the university had deployed "a Spaceti occupancy monitoring system" that would use heat sensors at groin level to "aggregate data by subzones to generate when a desk is occupied or not." Luzzi added that the data would be anonymized, aggregated to look at "themes" and not individual time at assigned desks, not be used in evaluations, and not shared with any supervisors of the students. Following that email, an impromptu listening session was held in the ISEC. At this first listening session, Luzzi asked that grad student attendees "trust the university since you trust them to give you a degree...."
After that, the students at the Privacy Institute, which specialize in studying surveillance and reversing its harm, started removing the sensors, hacking into them, and working on an open source guide so other students could do the same. Luzzi had claimed the devices were secure and the data encrypted, but Privacy Institute students learned they were relatively insecure and unencrypted.... After hacking the devices, students wrote an open letter to Luzzi and university president Joseph E. Aoun asking for the sensors to be removed because they were intimidating, part of a poorly conceived study, and deployed without IRB approval even though human subjects were at the center of the so-called study.
von Hippel notes that many members of the computer science department were also in a union, and thus networked together for a quick mass response. Motherboard writes that the controversy ultimately culminated with another listening session in which Luzzi "struggles to quell concerns that the study is invasive, poorly planned, costly, and likely unethical."
"Afterwards, von Hippel took to Twitter and shares what becomes a semi-viral thread documenting the entire timeline of events from the secret installation of the sensors to the listening session occurring that day. Hours later, the sensors are removed..."
Students began to raise concerns about the sensors, and an email was sent out by Luzzi attempting to address issues raised by students.... Luzzi wrote, the university had deployed "a Spaceti occupancy monitoring system" that would use heat sensors at groin level to "aggregate data by subzones to generate when a desk is occupied or not." Luzzi added that the data would be anonymized, aggregated to look at "themes" and not individual time at assigned desks, not be used in evaluations, and not shared with any supervisors of the students. Following that email, an impromptu listening session was held in the ISEC. At this first listening session, Luzzi asked that grad student attendees "trust the university since you trust them to give you a degree...."
After that, the students at the Privacy Institute, which specialize in studying surveillance and reversing its harm, started removing the sensors, hacking into them, and working on an open source guide so other students could do the same. Luzzi had claimed the devices were secure and the data encrypted, but Privacy Institute students learned they were relatively insecure and unencrypted.... After hacking the devices, students wrote an open letter to Luzzi and university president Joseph E. Aoun asking for the sensors to be removed because they were intimidating, part of a poorly conceived study, and deployed without IRB approval even though human subjects were at the center of the so-called study.
von Hippel notes that many members of the computer science department were also in a union, and thus networked together for a quick mass response. Motherboard writes that the controversy ultimately culminated with another listening session in which Luzzi "struggles to quell concerns that the study is invasive, poorly planned, costly, and likely unethical."
"Afterwards, von Hippel took to Twitter and shares what becomes a semi-viral thread documenting the entire timeline of events from the secret installation of the sensors to the listening session occurring that day. Hours later, the sensors are removed..."
I remember university (Score:5, Funny)
All that was under our desks was wads of chewing gum.
Re:I remember university (Score:4, Insightful)
wads of chewing gum would be one way to cripple this system
Re: (Score:3)
Don't leave your own DNA in/on the gum.
Re: (Score:2)
trivial to make a pristine wad and then DNA of any school official you don't like in it
Chewing Gum, Groin Heat Monitor. . . (Score:2)
Re: (Score:3)
Re: (Score:3)
These rollouts are part of what Cory Doctrow calls the "shitty technology adoption curve” whereby horrible, unethical and immoral technologies are normalized and rationalized by being deployed on vulnerable populations for constantly shifting reasons. You start with people whose concerns can be ignored—migrants, prisoners, homeless populations—then scale it upwards—children in school, contractors, un-unionized workers. By the time it gets to people whose concerns and objections would be the loudest and most integral to its rejection, the technology has already been widely deployed.
It doesn't honestly matter what they were tracking in the present, or what the sensors might evolve to track. If you make graduate students who investigate and expose privacy violating surveillance devices comfortable with them, who is left to object tto their ubiquity?
Re: (Score:2)
I haven't read the study, but this type of thing can be done pretty easily with an ESP8266, and it is hard to believe they didn't do BLE beacons at the same time with the chip. It is also hard to believe that the sensors themselves anonymized data; it was likely anonymized (if at all) at the database level.
Re: Chewing Gum, Groin Heat Monitor. . . (Score:3)
Is it wrong for a person to want privacy?
Is it right, that just because I didn't explicitly say No, that the school has rights to gather any behavioral or biometric data they want?
For women : does it matter that unknown actors know your menstrual cycle?
Where are those lines
Re: Chewing Gum, Groin Heat Monitor. . . (Score:2)
Groin?
Is it possible that what they are actually looking for are illicit phones or other devices slipped in during exams?
Re: Chewing Gum, Groin Heat Monitor. . . (Score:2)
Re: (Score:2)
Slipped where?
Pocket. But if they are prohibited, people will probably hold them low in their laps while using them.
Re: (Score:2)
Re: (Score:2)
They were capturing your fingerprints!
Re: (Score:1)
David Luzzi must be fired. (Score:4, Insightful)
Re: (Score:1)
spying on students who give the university money
Most graduate students don't give money to the university. They receive money from the university. They are employees, not customers.
then lying about it
The proffered explanation, while stupid and unethical, is most likely true.
Re:David Luzzi must be fired. (Score:5, Insightful)
spying on students who give the university money
Most graduate students don't give money to the university. They receive money from the university. They are employees, not customers.
This is incorrect. Looking at federal loans [ed.gov], the average amount of debt for undergraduate and graduate loans is almost the same. Some graduate students at some schools get free tuition and some don't.
then lying about it
The proffered explanation, while stupid and unethical, is most likely true.
The proffered explanation and the students' claims are not necessarily exclusive. Just because there was some thought given to an academic, anonymized study does not preclude misused of the data.
Re: David Luzzi must be fired. (Score:1)
How much more do we have to pay until that kicks in, then?
Re: (Score:2)
Can't wait to start collecting some of that grad school money!
How much more do we have to pay until that kicks in, then?
Generally they pay less than minimum wage, dump loads of work on you, and then stipulate in your contract that you're not allowed to have another job.
Re: David Luzzi must be fired. (Score:1)
Re: (Score:2)
My grad school required that students be paid $6 an hour, assuming 40 hours a week 50 weeks a year (lol). Before taxes. And you were prohibited from having another job.
The thing is, the OP is correct, you are an employee, but you're also a student, so they just call you "trainee" and consider you whichever is most convenient at the moment.
Re: David Luzzi must be fired. (Score:1)
Alrighty then.
Re: (Score:2)
You're going to have to be a little less cryptic I'm afraid. I know it ruins the clever biting nature of the quip.
I definitely got money from my grad school, yes, net over what they took back in tuition. Just very, very little.
Re: (Score:2)
Most graduate students don't give money to the university. They receive money from the university. They are employees, not customers.
I think this applies more to post-graduate (PhD) students than graduate (Masters) students.
Re: (Score:3)
Most graduate students don't give money to the university. They receive money from the university. They are employees, not customers.
I think this applies more to post-graduate (PhD) students than graduate (Masters) students.
It really depends more on the field. For example, law school, medical school, and business school almost always make the students pay. English and the hard sciences usually pay the students. It's just a matter of whether you're valuable to them as a teaching/research assistant. They save tons of money by paying graduate students a small "stipend" to do a job that requires a professional. These positions pay less than adjunct professor positions, which also pay less than minimum wage.
I'm pretty sure the scam
Re: (Score:2)
The "graduate" that you're post of is graduation from an undergraduate degree. Both masters and PhD students are "graduate students." They're usually treated fairly similarly. In some places there aren't even separate programs, a Masters is just what you get if you don't fulfill the requirements for a PhD.
Re: (Score:2)
Re:David Luzzi must be fired. (Score:5, Funny)
What a bunch of whiners those students are. I mean, who wouldn't be perfectly fine with a sensor staring at their groin all day without any notification or consent?
Re: (Score:1)
[q]spying on students[/q]
Weeeeel, not really.
It seems he was spying on the use of the tables, not the actual students.
The sensor only sees heat but does not form an image.
I don't really see how this is invading privacy or such things.
Oversight (Score:2)
Oversight of many university executive positions is mostly non-existent. Unless they've done something outright illegal, you need to get, pretty much, the entire board of governors to agree to oust the president, which is usually almost impossible. There have been multiple instances of university presidents completely abusing their power, and, as they didn't violate their contract, absolutely nothing happened to them.
Re: (Score:2)
Ownership (Score:2)
At work many got into trouble because the used the work email, on company servers, to do personal stuff. Employees were using devices that were owned by the company, e-mail that was paid by the company, and got made because they did not have privacy of a personal account.
I do understand that as tim
Re: Ownership (Score:2)
And Luzzi is losing his job when? (Score:5, Insightful)
Beyond the surveillance issues, he lied to the students, hasn't really explained why this measure was necessary (as opposed to less intrusive measures to monitor whether desks are in use), and when sunlight is shined on this, he folds which implies something skizzy.
And unfortunately, as surveillance has become more pervasive, discussions don't work, laws regulating don't work, nor pointing the cameras back.
Maybe people losing their jobs when they pull stunts like this might.
Re: (Score:3)
at least the students got practical experience (Score:5, Interesting)
Heat sensors... at groin level? (Score:2)
That is a rather bizarre way to phrase it. Maybe they were looking to gather some other type of information from these young students?
Re: (Score:1)
Maybe they were trying to figure out how hot each groin was. An easier way would be to go to a bar and look, but that's just my method.
PIR sensor - cisco device - (Score:5, Interesting)
looks like a pretty basic PIR sensor (I cant see a teardown or any actual details on why its not encrypted )
assigning a desk and then counting if you used it... hmmm as they say the student had keycards so this was just a fluff "research" to back up if the companies devices worked or not...
turning the students into lab rats is pretty common but normally there is a vote/opt in so what they did here is not follow process and since the students are paying for their education (this is america) its the wrong thing to be doing.
anyone actually have teardown photo's and details on the firmware screw up ?
6.5 years on a battery (Score:5, Interesting)
These are actually pretty neat.
Pointless in this context, and they create more radio noise (which seems to have hurt one real experiment), but nice battery life.
One has to wonder what the real purpose was? Trying to justify eliminating space/moving to a hoteling model?
I'm assuming this is the product: https://www.enocean.com/en/pro... [enocean.com]
These aren't concerns, concerns are a potential. (Score:3, Informative)
This "study" WAS terrible, unethical, and a waste of money. In fact I'm doubtful there ever was a study at all and imho this was most likely either some kind of quid pro quo for the spyware company or an attempt at further normalizing orwellian surveillance state behavior.
STOP! Just stop, please... (Score:1, Interesting)
After that, the students at the Privacy Institute, which specialize in studying surveillance and reversing its harm, started removing the sensors, hacking into them, and working on an open source guide so other students could do the same. Luzzi had claimed the devices were secure and the data encrypted, but Privacy Institute students learned they were relatively insecure and unencrypted....
For goodness sake, these devices don't have cameras or microphones, it's a "person detector", it tracks when there is or is not a body at the desk. Why in the world would this need to be "encrypted"? What elaborate "security" is needed?
If the devices are on a network, they have a unique ID (MAC address, for example), but beyond that, they are tracking a Binary phenomenon, either there is or is not a body at the desk. If you don't match the unique ID of each sensor to a particular desk, there's plenty of sec
Re: STOP! Just stop, please... (Score:5, Informative)
Please, explain the harm of an automated sensor that does exactly the same thing any person walking through the room would observe - detect if someone is at a particular desk.
According to TFA, desks are assigned to individuals. So this is 24/7 monitoring if you at your workstation. When did you arrive? How many time did you step away from your desk? For how long?
Sure, someone walking by could do a headcount, but they probably aren't writing it down, and certainly aren't there 24/7.
Re: (Score:2)
If I see you pass me in the street you probably wouldn't think twice.
If I follow you around everywhere you go, taking notes, watching your movements, you will (if you are sensible) go to the police and tell them you are being stalked.
Re: (Score:1)
"Please, explain the harm of an automated sensor that does exactly the same thing any person walking through the room would observe"
You have the answer, right in your question.
The big problem with automated monitoring, is *scope*. It's one thing to live across from a neighbour, it's another to know what people are doing 5000km away, and another thing further to write it down, track, it, and correlate it with other movements.
This is no way, even closely, the same as someone seeing you sitting there.
- When "Bob" sees you sitting at the desk, does he write it down, put it in a database, and that data is kept for decades?
- Is that data now
Re:STOP! Just stop, please... (Score:4, Interesting)
The problem is normalizing tracking. You can look at most forms of data collection and argue that it, by itself, is innocuous. But this stuff doesn't happen in a vacuum. As another poster pointed out, they have assigned seating and so that links the sensors to individual students.
We're normalizing having all our movements tracked—both physically and digitally—and I don't think that's a good thing.
Re: (Score:2)
Beep Beep.
Oh darn, looks like KenH is leaving their desk after class. I better finish masturbating into their underwear and get out of the dorm room for the night. Again.
Re: (Score:2)
--If you are serious about your reply, then YOU ARE PART OF THE PROBLEM - and please fuck off. There is absolutely NO need or justification for this kind of spying. Period.
Under-desk motion sensors? (Score:5, Funny)
Trying to cut back on the fapping, I suppose.
I guess (Score:3)
I guess that is one way for the instructor to find out if a student has the hots for them.
Was this trying to see how fidgety students were? (Score:2)
I'm not sure, but if you wanted to just make sure students were attending class and even that others weren't just showing up pretending to be students there are better and more effective ways.
Maybe they wanted to see how many people were sleeping through lectures or doing crosswords instead of paying attention. I did the latter in one class and while I got better at crosswords, the midterms made me realize I needed to stop reading the paper during class.
Maybe there's some correlation between engaging prof
The third wave (Score:2)
Don't bitch about it (Score:2)
Translation: When an employee/student is working or not. Don't bitch about your rights, feed them fake data: Put one or two of those click-to-heat pads on the chair. Then feel free to do something important. (Note: Leaving your workplace is probably fraud, being on-site is a condition of most jobs.)
Shouldn't lose his job (Score:2)
Trust? (Score:3)
"trust the university since you trust them to give you a degree...."
Well, he lied about the sensors & tried to mislead students. That's a pretty clear demonstration of his lack of integrity. What should we think now about the university's degrees?
Consent Matters! (Score:2)
Already used (Score:3)
These have been used for years at call centers and other offices to basically see if reps are stepping away too frequently for bathroom breaks. Weird it seems every single commenter thus far hasn't heard of them. They typically use PIR. Weird to call that "heat detectors", but I guess technically true? Unless a PIR is hacked in some extraordinary way (replacing the sensor?) you're not going to get a heat value out of it.
Re: (Score:2)
These have been used for years at call centers and other offices to basically see if reps are stepping away too frequently for bathroom breaks. Weird it seems every single commenter thus far hasn't heard of them. . . .
Maybe this is because the demographic that reads Slashdot is not the demographic that gets stuck working in call centers. Just sayin'.
Re: (Score:2)
I am familiar with them because I've seen jobs posted about maintaining them. (Apparently a few sensors in an environment weren't working right and needed to be re-calibrated or something.)
Re: (Score:1)
So, do you information about the manufacture ?
Is there a web site about the internals of the device ?
For educational purposes only.
Part of their final grade (Score:2)
Re: (Score:2)
That is almost certainly the story Provost David Luzzi should have rolled with, once the pushback began, instead of what he did:
obfuscating and then prevaricating.
I like especially (Score:1)
...that little pro-union propaganda.
"...von Hippel notes that many members of the computer science department were also in a union, and thus networked together for a quick mass response"
Yes, because you have to be in a union to have email.
Groin monitoring devices (Score:3)
Grad students are a seriously weird, stressed-out bunch. They let nothing get in the way of their work. They will steal equipment, jimmy a door, filch supplies, and break any and all safety rules to keep their work going. They’re certainly not above putting the tip of a pen straight through a sensor that’s literally pointed at their genitals for no good reason. Omg hahaha I cant stop laughing.
Another angle to this - grad students on GRA support are legally paid for 20 hours, but it’s universally accepted that 40-50 hours per week is required to make decent progress on a thesis project. Does the university really want to be taking hard data that proves their entire grad student structure is built on a foundation of flagrant violation of basically ALL the labor laws?
So funny.
Poor Wording (Score:2)
That is some extremely poor wording. School officials should know better all the regulations regarding human studies. That said, these are just room occupancy sensors which are are completely reasonable way to optimize lighting, heating, cooling, and other amenities. I feel like they could of just said they are used them to reduce electricity and heating and improve amenities where they are needed and no one would of batted an eye. That said, these vandals should be in jail, just contact the ethics board, h
Re: (Score:2)
these are just room occupancy sensors
I used to work for a place that did commercial lighting controls. Room occupancy sensors are mounted in ceilings, and sometimes on walls. When they are under a desk, they are not room occupancy sensors, they are desk occupancy sensors.
Trust? (Score:2)
This guy needs to stop using big words he doesn't understand. "trust the university since you trust them to give you a degree...." Really? No, the students PAID for a degree.
Re: (Score:2)
Nah, they're grad students. The university pays them, they do research, which gets grants, and the university takes a cut of those.
Open questions (Score:2)
He didn't say NO, so I entered his room read his bank account and password info. Also, subsequently, I withdrew all the money in his accounts
Sorry, *its in the terms of service*. He was informed when he checked that box.
Is it fair for *any* condition imaginable to be put into the TOS?
Harmless and benign? Riiiiiiight. (Score:1)
Where was the IRB? (Score:3)
You can not do these kind of studies in a university without IRB approval. I certainly hope for the researcher that they did get IRB approval, otherwise that is one of the few cases where you could get fired.
And if the IRB did approval that, I'd really want to hear the rationale for letting this through.
Re: (Score:3)
Most students agree to various monitoring as part of their student agreement to be allowed on the computer systems. Such permissions have often been extended to include dorm monitoring, especially of the location and activity of portable devices. Logging and monitoring tools like Splunk have been sold to companies and campuses specifically to organize such data and provide desired location tracking for uses such as wellness checks, and the logs analyzed to detect unwelcome campus visitors or the devices of
Re: (Score:2)
What kind of study? What was he STUDYING? Who was at his or her desk when? Who cares? What was the goal here? (Certainly there was no hypothesis test involved.)
Re: (Score:2)
Is that why there was no IRB approval. It's not a scientific study therefore it is out of the scope of the IRB? I guess that makes sense.
Follow the Money (Score:2)
No doubt this was a corporate study to see how well they work in a structured environment before selling them to corporations.
Another reason why work from home is not optional. You need to control your work space.
"Cybersecurity and Privacy Institute" (Score:2)
Be careful what you ask for ... (Score:2)
True grad school story: Faculty wanted graduate students to punch in every time they worked because they suspected students were goofing off. Students enthusiastically supported the proposal, because it would document how poorly they were actually paid per hour (since everybody worked a lot more than 40 hours a week). Faculty realized what was about to happen. Proposal died w/o as much as a peep - and never came up again.
A Better Way (Score:1)
Supplies (Score:2)