Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Privacy Education

Graduate Students Analyze, Crack, and Remove Under-Desk Surveillance Devices (vice.com) 86

"Graduate students at Northeastern University were able to organize and beat back an attempt at introducing invasive surveillance devices that were quietly placed under desks at their school," reports Motherboard: Early in October, Senior Vice Provost David Luzzi installed motion sensors under all the desks at the school's Interdisciplinary Science & Engineering Complex (ISEC), a facility used by graduate students and home to the "Cybersecurity and Privacy Institute" which studies surveillance. These sensors were installed at night — without student knowledge or consent — and when pressed for an explanation, students were told this was part of a study on "desk usage," according to a blog post by Max von Hippel, a Privacy Institute PhD candidate who wrote about the situation for the Tech Workers Coalition's newsletter....

Students began to raise concerns about the sensors, and an email was sent out by Luzzi attempting to address issues raised by students.... Luzzi wrote, the university had deployed "a Spaceti occupancy monitoring system" that would use heat sensors at groin level to "aggregate data by subzones to generate when a desk is occupied or not." Luzzi added that the data would be anonymized, aggregated to look at "themes" and not individual time at assigned desks, not be used in evaluations, and not shared with any supervisors of the students. Following that email, an impromptu listening session was held in the ISEC. At this first listening session, Luzzi asked that grad student attendees "trust the university since you trust them to give you a degree...."

After that, the students at the Privacy Institute, which specialize in studying surveillance and reversing its harm, started removing the sensors, hacking into them, and working on an open source guide so other students could do the same. Luzzi had claimed the devices were secure and the data encrypted, but Privacy Institute students learned they were relatively insecure and unencrypted.... After hacking the devices, students wrote an open letter to Luzzi and university president Joseph E. Aoun asking for the sensors to be removed because they were intimidating, part of a poorly conceived study, and deployed without IRB approval even though human subjects were at the center of the so-called study.

von Hippel notes that many members of the computer science department were also in a union, and thus networked together for a quick mass response. Motherboard writes that the controversy ultimately culminated with another listening session in which Luzzi "struggles to quell concerns that the study is invasive, poorly planned, costly, and likely unethical."

"Afterwards, von Hippel took to Twitter and shares what becomes a semi-viral thread documenting the entire timeline of events from the secret installation of the sensors to the listening session occurring that day. Hours later, the sensors are removed..."
This discussion has been archived. No new comments can be posted.

Graduate Students Analyze, Crack, and Remove Under-Desk Surveillance Devices

Comments Filter:
  • by PPH ( 736903 ) on Saturday December 03, 2022 @11:43PM (#63100710)

    All that was under our desks was wads of chewing gum.

    • by iggymanz ( 596061 ) on Saturday December 03, 2022 @11:50PM (#63100714)

      wads of chewing gum would be one way to cripple this system

    • . . . as long as it's supposedly "anonymized" (at first, anyway), what's the big deal?
      • I haven't read the study, but this type of thing can be done pretty easily with an ESP8266, and it is hard to believe they didn't do BLE beacons at the same time with the chip. It is also hard to believe that the sensors themselves anonymized data; it was likely anonymized (if at all) at the database level.

      • Allow me to pose you some questions. In the olden days, before social media, a small measure of personal privacy existed. The monetization of data hadn't been invented. Now, like this, someone has imagined a new way to gather data.. So..

        Is it wrong for a person to want privacy?

        Is it right, that just because I didn't explicitly say No, that the school has rights to gather any behavioral or biometric data they want?

        For women : does it matter that unknown actors know your menstrual cycle?

        Where are those lines
      • Groin?

        Is it possible that what they are actually looking for are illicit phones or other devices slipped in during exams?

      • If you use terms like supposedly and place anonymized between quotes, we don't have to talk about de-anonymization anymore. Which is trivial in a group so small and consistent as a school. Anonymization is an excuse, not a cure, for privacy invasion.
    • They were capturing your fingerprints!

    • FYI: Those wads were disguised sensors!
  • by S_Stout ( 2725099 ) on Saturday December 03, 2022 @11:51PM (#63100716)
    If this is what he feels is a good use of his time, spying on students who give the university money then lying about it, then he must be fired immediately as he provides negative value to the school.
    • spying on students who give the university money

      Most graduate students don't give money to the university. They receive money from the university. They are employees, not customers.

      then lying about it

      The proffered explanation, while stupid and unethical, is most likely true.

      • by larryjoe ( 135075 ) on Sunday December 04, 2022 @12:38AM (#63100780)

        spying on students who give the university money

        Most graduate students don't give money to the university. They receive money from the university. They are employees, not customers.

        This is incorrect. Looking at federal loans [ed.gov], the average amount of debt for undergraduate and graduate loans is almost the same. Some graduate students at some schools get free tuition and some don't.

        then lying about it

        The proffered explanation, while stupid and unethical, is most likely true.

        The proffered explanation and the students' claims are not necessarily exclusive. Just because there was some thought given to an academic, anonymized study does not preclude misused of the data.

      • Can't wait to start collecting some of that grad school money!

        How much more do we have to pay until that kicks in, then?

        • Can't wait to start collecting some of that grad school money!

          How much more do we have to pay until that kicks in, then?

          Generally they pay less than minimum wage, dump loads of work on you, and then stipulate in your contract that you're not allowed to have another job.

        • by ceoyoyo ( 59147 )

          My grad school required that students be paid $6 an hour, assuming 40 hours a week 50 weeks a year (lol). Before taxes. And you were prohibited from having another job.

          The thing is, the OP is correct, you are an employee, but you're also a student, so they just call you "trainee" and consider you whichever is most convenient at the moment.

          • A gross negative and a net negative still mean that the University is giving money to the grad student instead of taking money from them?

            Alrighty then.

            • by ceoyoyo ( 59147 )

              You're going to have to be a little less cryptic I'm afraid. I know it ruins the clever biting nature of the quip.

              I definitely got money from my grad school, yes, net over what they took back in tuition. Just very, very little.

      • Most graduate students don't give money to the university. They receive money from the university. They are employees, not customers.

        I think this applies more to post-graduate (PhD) students than graduate (Masters) students.

        • Most graduate students don't give money to the university. They receive money from the university. They are employees, not customers.

          I think this applies more to post-graduate (PhD) students than graduate (Masters) students.

          It really depends more on the field. For example, law school, medical school, and business school almost always make the students pay. English and the hard sciences usually pay the students. It's just a matter of whether you're valuable to them as a teaching/research assistant. They save tons of money by paying graduate students a small "stipend" to do a job that requires a professional. These positions pay less than adjunct professor positions, which also pay less than minimum wage.

          I'm pretty sure the scam

        • by ceoyoyo ( 59147 )

          The "graduate" that you're post of is graduation from an undergraduate degree. Both masters and PhD students are "graduate students." They're usually treated fairly similarly. In some places there aren't even separate programs, a Masters is just what you get if you don't fulfill the requirements for a PhD.

      • by q_e_t ( 5104099 )
        They can be both receiving and giving money to university, and the nett may be giving.
    • by Dutch Gun ( 899105 ) on Sunday December 04, 2022 @04:26AM (#63100960)

      What a bunch of whiners those students are. I mean, who wouldn't be perfectly fine with a sensor staring at their groin all day without any notification or consent?

    • by noodler ( 724788 )

      [q]spying on students[/q]
      Weeeeel, not really.
      It seems he was spying on the use of the tables, not the actual students.
      The sensor only sees heat but does not form an image.
      I don't really see how this is invading privacy or such things.

    • Oversight of many university executive positions is mostly non-existent. Unless they've done something outright illegal, you need to get, pretty much, the entire board of governors to agree to oust the president, which is usually almost impossible. There have been multiple instances of university presidents completely abusing their power, and, as they didn't violate their contract, absolutely nothing happened to them.

    • And people wonder why Americans litigate so much.
  • When I was in school we had to cards to get into out unix micro computer lab. It was a homegrown system that tracked us. These were school machines. The nefarious devices also had logs on what we were doing.

    At work many got into trouble because the used the work email, on company servers, to do personal stuff. Employees were using devices that were owned by the company, e-mail that was paid by the company, and got made because they did not have privacy of a personal account.

    I do understand that as tim

  • by quintessencesluglord ( 652360 ) on Saturday December 03, 2022 @11:56PM (#63100726)

    Beyond the surveillance issues, he lied to the students, hasn't really explained why this measure was necessary (as opposed to less intrusive measures to monitor whether desks are in use), and when sunlight is shined on this, he folds which implies something skizzy.

    And unfortunately, as surveillance has become more pervasive, discussions don't work, laws regulating don't work, nor pointing the cameras back.

    Maybe people losing their jobs when they pull stunts like this might.

    • I'll play devil's advocate and propose that this is something a little bigger than it appears at first glance. This being done at an institution that is looking at privacy is too much of a coincidence and a slap in the face on top of that. Is this a study that's actually designed to look at how the students react, subvert, or otherwise respond? It's possible that it could be a bit sloppy, a modern Stanford prison experiment. If that's the case, he obviously can't come out and say as much and even has to be
  • by Aviation Pete ( 252403 ) on Sunday December 04, 2022 @12:11AM (#63100748)
    in hacking surveillance devices. They learned something. Learning works best when you see a meaning in what you are doing. Too much of instruction comes without information about its practical relevance, so will be filtered out as unimportant by the brain.
  • That is a rather bizarre way to phrase it. Maybe they were looking to gather some other type of information from these young students?

    • by sglines ( 543315 )

      Maybe they were trying to figure out how hot each groin was. An easier way would be to go to a bar and look, but that's just my method.

  • by johnjones ( 14274 ) on Sunday December 04, 2022 @12:44AM (#63100786) Homepage Journal

    looks like a pretty basic PIR sensor (I cant see a teardown or any actual details on why its not encrypted )

    assigning a desk and then counting if you used it... hmmm as they say the student had keycards so this was just a fluff "research" to back up if the companies devices worked or not...

    turning the students into lab rats is pretty common but normally there is a vote/opt in so what they did here is not follow process and since the students are paying for their education (this is america) its the wrong thing to be doing.

    anyone actually have teardown photo's and details on the firmware screw up ?

       

  • by wonkavader ( 605434 ) on Sunday December 04, 2022 @12:55AM (#63100794)

    These are actually pretty neat.

    Pointless in this context, and they create more radio noise (which seems to have hurt one real experiment), but nice battery life.

    One has to wonder what the real purpose was? Trying to justify eliminating space/moving to a hoteling model?

    I'm assuming this is the product: https://www.enocean.com/en/pro... [enocean.com]

  • by Shadow of Eternity ( 795165 ) on Sunday December 04, 2022 @12:56AM (#63100798)

    This "study" WAS terrible, unethical, and a waste of money. In fact I'm doubtful there ever was a study at all and imho this was most likely either some kind of quid pro quo for the spyware company or an attempt at further normalizing orwellian surveillance state behavior.

  • by kenh ( 9056 )

    After that, the students at the Privacy Institute, which specialize in studying surveillance and reversing its harm, started removing the sensors, hacking into them, and working on an open source guide so other students could do the same. Luzzi had claimed the devices were secure and the data encrypted, but Privacy Institute students learned they were relatively insecure and unencrypted....

    For goodness sake, these devices don't have cameras or microphones, it's a "person detector", it tracks when there is or is not a body at the desk. Why in the world would this need to be "encrypted"? What elaborate "security" is needed?

    If the devices are on a network, they have a unique ID (MAC address, for example), but beyond that, they are tracking a Binary phenomenon, either there is or is not a body at the desk. If you don't match the unique ID of each sensor to a particular desk, there's plenty of sec

    • by bradley13 ( 1118935 ) on Sunday December 04, 2022 @01:34AM (#63100834) Homepage

      Please, explain the harm of an automated sensor that does exactly the same thing any person walking through the room would observe - detect if someone is at a particular desk.

      According to TFA, desks are assigned to individuals. So this is 24/7 monitoring if you at your workstation. When did you arrive? How many time did you step away from your desk? For how long?

      Sure, someone walking by could do a headcount, but they probably aren't writing it down, and certainly aren't there 24/7.

    • If I see you pass me in the street you probably wouldn't think twice.
      If I follow you around everywhere you go, taking notes, watching your movements, you will (if you are sensible) go to the police and tell them you are being stalked.

    • by Anonymous Coward

      "Please, explain the harm of an automated sensor that does exactly the same thing any person walking through the room would observe"

      You have the answer, right in your question.

      The big problem with automated monitoring, is *scope*. It's one thing to live across from a neighbour, it's another to know what people are doing 5000km away, and another thing further to write it down, track, it, and correlate it with other movements.

      This is no way, even closely, the same as someone seeing you sitting there.

      - When "Bob" sees you sitting at the desk, does he write it down, put it in a database, and that data is kept for decades?

      - Is that data now

    • by RazorSharp ( 1418697 ) on Sunday December 04, 2022 @09:16AM (#63101302)

      The problem is normalizing tracking. You can look at most forms of data collection and argue that it, by itself, is innocuous. But this stuff doesn't happen in a vacuum. As another poster pointed out, they have assigned seating and so that links the sensors to individual students.

      We're normalizing having all our movements tracked—both physically and digitally—and I don't think that's a good thing.

    • Beep Beep.

      Oh darn, looks like KenH is leaving their desk after class. I better finish masturbating into their underwear and get out of the dorm room for the night. Again.

    • by Wolfrider ( 856 )

      --If you are serious about your reply, then YOU ARE PART OF THE PROBLEM - and please fuck off. There is absolutely NO need or justification for this kind of spying. Period.

  • by Black Parrot ( 19622 ) on Sunday December 04, 2022 @01:41AM (#63100836)

    Trying to cut back on the fapping, I suppose.

  • by renegade600 ( 204461 ) on Sunday December 04, 2022 @01:44AM (#63100838)

    I guess that is one way for the instructor to find out if a student has the hots for them.

  • I'm not sure, but if you wanted to just make sure students were attending class and even that others weren't just showing up pretending to be students there are better and more effective ways.

    Maybe they wanted to see how many people were sleeping through lectures or doing crosswords instead of paying attention. I did the latter in one class and while I got better at crosswords, the midterms made me realize I needed to stop reading the paper during class.

    Maybe there's some correlation between engaging prof

  • Can't you all see, this was a hoax. A good learning on own skin.
  • ... when a desk is occupied or not.

    Translation: When an employee/student is working or not. Don't bitch about your rights, feed them fake data: Put one or two of those click-to-heat pads on the chair. Then feel free to do something important. (Note: Leaving your workplace is probably fraud, being on-site is a condition of most jobs.)

  • Because that would be cancel culture.
  • by VeryFluffyBunny ( 5037285 ) on Sunday December 04, 2022 @04:57AM (#63100984)

    "trust the university since you trust them to give you a degree...."

    Well, he lied about the sensors & tried to mislead students. That's a pretty clear demonstration of his lack of integrity. What should we think now about the university's degrees?

  • Help me out here. Is there a word for pointing sensors at somebody's dick without their consent?

    /s
  • by anonymouscoward52236 ( 6163996 ) on Sunday December 04, 2022 @06:45AM (#63101100)

    These have been used for years at call centers and other offices to basically see if reps are stepping away too frequently for bathroom breaks. Weird it seems every single commenter thus far hasn't heard of them. They typically use PIR. Weird to call that "heat detectors", but I guess technically true? Unless a PIR is hacked in some extraordinary way (replacing the sensor?) you're not going to get a heat value out of it.

    • by indytx ( 825419 )

      These have been used for years at call centers and other offices to basically see if reps are stepping away too frequently for bathroom breaks. Weird it seems every single commenter thus far hasn't heard of them. . . .

      Maybe this is because the demographic that reads Slashdot is not the demographic that gets stuck working in call centers. Just sayin'.

      • I am familiar with them because I've seen jobs posted about maintaining them. (Apparently a few sensors in an environment weren't working right and needed to be re-calibrated or something.)

    • So, do you information about the manufacture ?

      Is there a web site about the internals of the device ?

      For educational purposes only.

  • Did anyone think maybe this was just part of a rather creative test for the cybersecurity students?
    • That is almost certainly the story Provost David Luzzi should have rolled with, once the pushback began, instead of what he did:

      obfuscating and then prevaricating.

  • ...that little pro-union propaganda.
    "...von Hippel notes that many members of the computer science department were also in a union, and thus networked together for a quick mass response"

    Yes, because you have to be in a union to have email.

  • by hdyoung ( 5182939 ) on Sunday December 04, 2022 @09:03AM (#63101280)
    Ugh. Just uuuggghhhhh. What university administrator thought this was a good idea? These people are supposed to understand grad students, but this shows serious disconnection from their job. Just a bad idea in soooo many ways.

    Grad students are a seriously weird, stressed-out bunch. They let nothing get in the way of their work. They will steal equipment, jimmy a door, filch supplies, and break any and all safety rules to keep their work going. They’re certainly not above putting the tip of a pen straight through a sensor that’s literally pointed at their genitals for no good reason. Omg hahaha I cant stop laughing.

    Another angle to this - grad students on GRA support are legally paid for 20 hours, but it’s universally accepted that 40-50 hours per week is required to make decent progress on a thesis project. Does the university really want to be taking hard data that proves their entire grad student structure is built on a foundation of flagrant violation of basically ALL the labor laws?

    So funny.
  • That is some extremely poor wording. School officials should know better all the regulations regarding human studies. That said, these are just room occupancy sensors which are are completely reasonable way to optimize lighting, heating, cooling, and other amenities. I feel like they could of just said they are used them to reduce electricity and heating and improve amenities where they are needed and no one would of batted an eye. That said, these vandals should be in jail, just contact the ethics board, h

    • by Megane ( 129182 )

      these are just room occupancy sensors

      I used to work for a place that did commercial lighting controls. Room occupancy sensors are mounted in ceilings, and sometimes on walls. When they are under a desk, they are not room occupancy sensors, they are desk occupancy sensors.

  • This guy needs to stop using big words he doesn't understand. "trust the university since you trust them to give you a degree...." Really? No, the students PAID for a degree.

    • Nah, they're grad students. The university pays them, they do research, which gets grants, and the university takes a cut of those.

  • If you didn't say NO, does that mean you said YES? Can anyone can do anything you?

    He didn't say NO, so I entered his room read his bank account and password info. Also, subsequently, I withdrew all the money in his accounts

    Sorry, *its in the terms of service*. He was informed when he checked that box.

    Is it fair for *any* condition imaginable to be put into the TOS?
  • A covert program to collect people's groin temperatures? WTAF?
  • by godrik ( 1287354 ) on Sunday December 04, 2022 @10:27AM (#63101402)

    You can not do these kind of studies in a university without IRB approval. I certainly hope for the researcher that they did get IRB approval, otherwise that is one of the few cases where you could get fired.

    And if the IRB did approval that, I'd really want to hear the rationale for letting this through.

    • Most students agree to various monitoring as part of their student agreement to be allowed on the computer systems. Such permissions have often been extended to include dorm monitoring, especially of the location and activity of portable devices. Logging and monitoring tools like Splunk have been sold to companies and campuses specifically to organize such data and provide desired location tracking for uses such as wellness checks, and the logs analyzed to detect unwelcome campus visitors or the devices of

    • What kind of study? What was he STUDYING? Who was at his or her desk when? Who cares? What was the goal here? (Certainly there was no hypothesis test involved.)

      • by godrik ( 1287354 )

        Is that why there was no IRB approval. It's not a scientific study therefore it is out of the scope of the IRB? I guess that makes sense.

  • No doubt this was a corporate study to see how well they work in a structured environment before selling them to corporations.

    Another reason why work from home is not optional. You need to control your work space.

  • Could this actually have been an exercise for that part of this institution, to see what they'd do about it?
  • True grad school story: Faculty wanted graduate students to punch in every time they worked because they suspected students were goofing off. Students enthusiastically supported the proposal, because it would document how poorly they were actually paid per hour (since everybody worked a lot more than 40 hours a week). Faculty realized what was about to happen. Proposal died w/o as much as a peep - and never came up again.

  • A better way to send a message to those that believe this is a good idea is the Rambo reply: One of the devices with a Bowie knife through it driven into the university presidents desk.
  • One night for them to install the hardware. One following night to stock my electronics parts box. I am sure there can be some useful parts to be found. Love to get some tremor sensors for example.

Technology is dominated by those who manage what they do not understand.

Working...